b'DEPARTMENT CRITICAL INFRASTRUCTURE\n PROTECTION IMPLEMENTING PLANS TO\nPROTECT CYBER-BASED INFRASTRUCTURE\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n           Audit Report 04-05\n            November 2003\n\x0c  DEPARTMENT CRITICAL INFRASTRUCTURE PROTECTION\n    IMPLEMENTING PLANS TO PROTECT CYBER-BASED\n                 INFRASTRUCTURE\n\n\n                            EXECUTIVE SUMMARY\n\n      The Department of Justice (Department) and other government\ndepartments and agencies are required to prepare and implement plans for\nprotecting critical infrastructure. The infrastructure includes systems\nessential to the minimum operations of the economy and government, such\nas telecommunications, banking and finance, energy, and transportation.\nAccording to the Critical Infrastructure Assurance Office\xe2\x80\x99s (CIAO)\nNational Plan for Information Systems Protection, the threat is that a group\nor nation hostile to the United States will seek to "inflict economic damage,\ndisruption and death, and degradation of our defense response" by attacking\nour critical infrastructure.1 Critical infrastructure protection plans are\nrequired to include an inventory of the Department\'s mission-essential\nassets, an assessment of each asset\'s vulnerabilities, and plans to remediate\nthose vulnerabilities.\n\n       In May 1998, Presidential Decision Directive 63 (PDD 63) required all\nfederal agencies to achieve and maintain the ability to protect the nation\xe2\x80\x99s\ncritical infrastructures from intentional acts that would significantly diminish\ntheir ability to perform essential national security missions and ensure\ngeneral public health and safety. Achieving and maintaining this ability is\nreferred to as \xe2\x80\x9cfull operating capability.\xe2\x80\x9d PDD 63 required the Department to\nreach full operating capability by May 2003.\n\n        The National Plan for Information Systems Protection, Version 1.0,\nissued by the CIAO in 2000, describes full operating capability as the ability\nto ensure that any interruption or manipulation of critical functions is\n\xe2\x80\x9c. . . brief, infrequent, manageable, geographically isolated, and minimally\ndetrimental to the welfare of the United States.\xe2\x80\x9d Further, the Draft Critical\nInfrastructure Protection (CIP) Plan indicates that full operating capability for\nthe Department is comprised of:\n\n\n\n      1\n           The CIAO was created in May 1998 to coordinate the federal government\xe2\x80\x99s\ninitiatives on infrastructure assurance.\n\n\n\n\n                                           -i-\n\x0c   \xe2\x80\xa2   identifying the Minimum Essential Infrastructure (MEI) and\n       interdependencies and identifying and addressing their vulnerabilities,2\n\n   \xe2\x80\xa2   detecting attacks and unauthorized intrusions,\n\n   \xe2\x80\xa2   sharing attack warning and information in a secure and timely manner,\n       and\n\n   \xe2\x80\xa2   responding to attacks and reconstituting and recovering assets that\n       were subject to attacks.\n\n      The Department of Justice Office of the Inspector General (OIG)\npreviously audited the adequacy of the Department\'s planning and\nassessment activities for protecting its critical computer-based\ninfrastructure. Over 20 Inspectors General conducted similar audits of their\nown agencies as part of an effort sponsored by the President\'s Council on\nIntegrity and Efficiency (PCIE). Our November 2000 report noted that the\nDepartment had submitted its initial critical infrastructure protection plan to\nthe CIAO as required, and the Department had revised its initial plan\naccording to comments received from an Expert Review Team. However, we\nconcluded that the Department had not yet: 1) adequately identified all of\nits mission-essential assets, 2) assessed the vulnerabilities of each of its\nassets, 3) developed remedial action plans for identified vulnerabilities, and\n4) developed a multi-year funding plan for reducing vulnerabilities. As a\nresult, the Department\'s ability to perform certain vital missions was at risk\nfrom terrorist attacks or similar threats.\n\n      Our current audit of critical infrastructure protection is a continuation\nof the executive branch-wide effort by the PCIE. We, along with other OIGs,\nwho are conducting similar audits, focused on the adequacy of\nimplementation activities for protecting critical computer-based\ninfrastructures. Specifically, we reviewed Department activities in the areas\nof: risk mitigation; emergency management; interagency coordination;\nresource and organization requirements; the recruitment, education of\nInformation Technology (IT) personnel; and computer security awareness.\nIn addition, we reviewed follow-up activities undertaken with regard to the\nrecommendations of our November 2000 report and found that the\n       2\n            The MEI is the framework of critical organizations, personnel, systems, and\nfacilities that are absolutely required in order to provide the inputs and outputs necessary to\nsupport the core processes essential to accomplishing an organization\xe2\x80\x99s core mission as\nthose missions relate to national security, national economic security, or continuity of\ngovernment services.\n\n\n\n\n                                            - ii -\n\x0cDepartment has made progress in the implementation of its CIP Plans, but\nmuch significant work remains to be done.\n\nBackground\n\n       Within the Department, the Justice Management Division (JMD)\ndevelops, promulgates, and reviews implementation of departmentwide\npolicies, standards, and procedures for the management of automated\ninformation processing resources. Within JMD, the Chief Information Officer\n(CIO) has oversight responsibility for CIP for the Department. Within the\nOffice of the CIO, the Information Technology Security Staff (ITSS) has\nprimary responsibility for critical infrastructure planning and\nimplementation.3\n\n       In May 2003, the CIO reorganized the information resource\nmanagement function. At that time, the ITSS was established, and it is now\nresponsible for developing and implementing policies and procedures for\ninformation systems security programs. Prior to the reorganization, these\nfunctions were managed by the Information Management and Security Staff\n(IMSS). Upon its establishment, the ITSS retained the prior staff and\noversight responsibilities of the IMSS. The ITSS also gained responsibility\nfrom JMD Computer Services Staff (CSS) for managing the Department of\nJustice Computer Emergency Response Team (DOJCERT). The DOJCERT\nassists component organizations with incident handling and resolution, and it\nis the centralized reporting entity for the Department. All components are\nrequired to report computer security incidents to the DOJCERT and the\nDOJCERT issues any necessary alerts to components and external agencies.\n\n      Within the Department, critical infrastructure protection is a shared\nresponsibility between JMD and the various component organizations. Each\ncomponent is responsible for identifying its MEI, assessing vulnerabilities,\ndeveloping remediation and funding plans, and ensuring the implementation\nof the plans. JMD is responsible for coordinating the departmentwide effort\nand ensuring that the components comply with applicable requirements.\n\n       3\n          Prior to September 11, 2002, JMD Security and Emergency Planning Staff had\noversight of IT security for the classified systems of the Department, while the CIO\xe2\x80\x99s\nInformation Management and Security Staff had oversight for the sensitive but unclassified\nsystems. After September 11, 2002, the CIO is responsible for overseeing and implementing\nsecurity policy and practices for both classified and sensitive but unclassified systems. The\nstandards, procedures, and guidelines are coordinated with the Department\xe2\x80\x99s Security\nOfficer.\n\n\n\n\n                                           - iii -\n\x0cRisk Mitigation\n\n       The Department is required to conduct vulnerability assessments to\nidentify risks to its critical infrastructure. After the vulnerability\nassessments, remedial action plans are required to mitigate the exploitation\nof risks until the vulnerabilities are eliminated or reduced to an acceptable\nlevel. The remedial action plans should be system specific and should\nidentify the vulnerability, responsible office, mission impact, mitigation\naction, long-term correction, and estimated costs and milestones for\ncorrective measures.\n\n      JMD completed a vulnerability assessment in March 2002. JMD\nreviewed the management controls developed to implement the\nDepartment\xe2\x80\x99s CIP program and evaluated the controls against requirements\ncontained in reports and other documents from the\nGeneral Accounting Office, the National Critical Infrastructure Assurance\nOffice, and the General Services Administration. The JMD review identified\nthe following four individual vulnerabilities associated with the program.\n\n   1. The CIP Plan needed to be updated to incorporate the implementation\n      plan and the Department\xe2\x80\x99s new Strategic Plan.\n\n   2. The inventory of mission-essential assets required revalidation by\n      components after the events of September 11, 2001.\n\n   3. JMD needed to address the risk of not meeting the full operating\n      capability date of May 2003.\n\n   4. Seven of the mission-essential systems required an independent\n      certification and accreditation.\n\n       As previously mentioned, the National Plan for Information Systems\nProtection, Version 1.0, issued by the CIAO describes full operating\ncapability as the ability to ensure that any interruption or manipulation of\ncritical functions is \xe2\x80\x9cbrief, infrequent, manageable, geographically isolated,\nand minimally detrimental to the welfare of the United States.\xe2\x80\x9d Several\nitems remain to be completed before the Department can reach full\noperating capability. In July 2002, IMSS officials indicated that mitigation\naction for all program vulnerabilities was progressing on target and would be\ncompleted on schedule. However, we found that the IMSS did not\neffectively manage the mitigation actions because it did not provide\ncomponents sufficient time to provide required data to revalidate the MEI.\n\n\n                                    - iv -\n\x0c       Another item we found that prevented the Department from reaching\nfull operating capability was that project plans were not developed to ensure\nfull operating capability by May 2003. In April 2003, we updated our\nassessment of progress by the IMSS/ITSS and found that project plans had\nbeen completed and included in the revised draft CIP Plan. However, those\nplans did not include completion dates for all tasks, and 54 of 73 tasks were\nnot completed by May 2003. However, in our judgment four key tasks\nprevent the Department from achieving full operating capability. The four\ntasks are:\n\n   \xe2\x80\xa2   development of contingency plans for systems without plans or\n       revision of inadequate plans,\n\n   \xe2\x80\xa2   testing of the contingency plans,\n\n   \xe2\x80\xa2   incorporation of vulnerabilities into the Security and Management\n       Reporting Tool (SMART) database for tracking purposes,4 and\n\n   \xe2\x80\xa2   development of a SMART database for classified systems.\n\n      As a result of these tasks not being completed timely, the Department\nhas less than adequate assurance that critical IT asset vulnerabilities will be\nmitigated adequately or timely.\n\nEmergency Management\n\n      The Department\xe2\x80\x99s April 1999 CIP Plan established the critical elements\nfor an effective emergency management program and charged a CIP\nTask Force with its implementation.5 The Department\xe2\x80\x99s emergency\nmanagement program, as envisioned in the CIP Plan, was to incorporate the\nelements of Indications and Warnings; Incident Collection, Reporting, and\nAnalysis; and Response and Contingency Plans.\n\n\n\n       4\n          The SMART database is a set of user interface, database management, and\nbusiness intelligence tools designed to assist the Department CIO and program managers as\nwell as the security administrators in identifying, controlling, and monitoring the\nperformance of a component\xe2\x80\x99s IT security program and its IT systems.\n       5\n           The CIP Task Force was comprised of representatives from law enforcement,\nlitigating divisions, and administrative offices.\n\n\n\n\n                                          -v-\n\x0c       Regarding Indications and Warnings, the plan intended to establish an\neffective and secure mechanism for: a) receiving threat indication and\nwarning information from the intelligence community and law enforcement\nagencies concerning the critical infrastructure of the Department and the\nnation, and b) disseminating this information in a timely manner to\nappropriate Department components. The IMSS was to ensure the existence\nof secure, effective, and timely communication channels for passing threat\ninformation from internal and external organizations to Department\ncomponents at both headquarters and field locations charged with the\nprotection of the Department\xe2\x80\x99s critical infrastructure assets.\n\n       Regarding Incident Collection, Reporting, and Analysis, the Plan\nintended to define and establish an effective and secure mechanism for\ncollecting, reporting, and analyzing incident information about actual and\npotential attacks on the Department\xe2\x80\x99s critical infrastructure assets. The\nestablished method should have ensured that information generated from\ncomputer security incidents was received from Department components and\ndisseminated throughout the Department and to other intelligence and law\nenforcement agencies, as appropriate, in a timely manner.\n\n      Regarding Response and Contingency Plans, the Plan intended to\ndefine and establish sound response and contingency plans to ensure the\nDepartment\xe2\x80\x99s critical infrastructure assets could be restored to the minimum\noperational effectiveness necessary to support the Department\xe2\x80\x99s missions\nshould these critical infrastructure assets be subjected to successful attack.\nResponse plans identify actions for responding to a significant infrastructure\nattack while the attack is underway. Contingency plans identify actions\nrequired to rebuild or restore an infrastructure after it has been damaged.\nThe CIP Plan required that response and contingency plans should be\nprepared, reviewed, and approved by Department officials, and be exercised\non a periodic basis to ensure that the plans can be effectively implemented.\n\n       The CIP Plan also established several intermediate milestones for\nimplementing the three essential elements of the Department\xe2\x80\x99s emergency\nmanagement program. Full implementation of the program was to occur no\nlater than September 28, 1999.\n\n     Although the April 1999 CIP Plan contained a comprehensive blueprint\nand milestones for an effective, centrally managed Department emergency\nmanagement program, we found that such a program was not fully\nimplemented. Many of the critical emergency management program\nelements relating to indications and warnings, incident collection, reporting\n\n\n\n                                    - vi -\n\x0cand analysis, and response and contingency planning were neither\nestablished nor operating.\n\n       Communication channels were established for passing threat\ninformation, but the IMSS did not determine whether the channels were\nsecure, effective, and provided timely information as required by the\nCIP Plan. Additionally, the IMSS did not verify whether effective liaisons\nwith the FBI\xe2\x80\x99s National Infrastructure Protection Center or the Strategic\nInformation Operations Center were established and ongoing. Unless all\nindication and warning elements are in place, the Department does not have\nthe assurance that communication channels for sharing vulnerabilities are\nsecure and that components are receiving timely information to better equip\nit to respond to computer security incidents.6\n\n      Detailed procedures for the components to follow in reporting\ncomputer security incidents were developed by the CSS, but the IMSS could\nnot substantiate whether the procedures were implemented and were being\nfollowed by components. According to the IMSS staff, tabulated summaries\non the number and type of incidents are reported each month. However,\nthe IMSS could not provide tabulated summaries regarding the nature,\nfrequency, category, and remediation of prior Department computer security\nincidents or possible trends and potential systemic weaknesses based on\nanalyses of prior incidents. Although there is no specific requirement that\nthe IMSS maintain documentation for these activities, without such\ndocumentation the Department does not have assurance that additional\nprocedures for collecting and analyzing incidents as required by the CIP Plan\nwere developed and are in place.\n\n      We also found that detailed response procedures for computer security\nincidents had been established, but the IMSS had not ensured that the\nprocedures were implemented and were being followed. Specifically, the\nIMSS did not verify whether components had developed, implemented, and\nmaintained internal incident response procedures and whether components\nhad identified appropriate individuals responsible for reporting incidents to\nthe DOJCERT.\n\n      Department Order 2640.2D requires components to develop and test\ncontingency plans as well as site plans detailing responses to emergencies\n\n\n      6\n        An incident is an occurrence that has been assessed as having an adverse effect on\nthe security or performance of an information system.\n\n\n\n\n                                          - vii -\n\x0cfor IT facilities, but the IMSS staff could not provide support that\ncomponents had done so.\n\n       The CIP Task Force was responsible for developing and implementing\nthe CIP Plan, including the emergency management program, but the\nTask Force ceased operating during calendar year 2000 and has had no\nfurther involvement in implementation activities. IMSS officials told the OIG\nthat other activities are operating within the Department to mitigate the\nactivities not performed by the CIP Task Force. As noted previously, we\nfound weaknesses in the Department\xe2\x80\x99s emergency management. As a\nresult, the Department has less than adequate assurance that it can\neffectively respond to computer attacks and security incidents.\n\nInteragency Coordination\n\n        There are two primary objectives for establishing effective interagency\ncoordination relating to CIP. First, the CIP Plan requires the Department to\nestablish and maintain effective liaisons with entities proposing and\npromulgating security measures and plans relating to CIP. Doing so ensures\nthat the Department receives the most up-to-date information for protecting\nits critical IT asset systems. Second, the CIP Plan requires the Department\nto establish and maintain effective liaisons with all entities for which\nDepartment IT systems either receive or provide critical data supporting\nnational security, national economic security, and/or crucial public health\nand safety activities. All Department IT systems either receiving or\nproviding such information must be identified and included in the\nDepartment\xe2\x80\x99s MEI as critical IT assets and receive the special protection\nafforded under the CIP program.\n\n       Although the CIP Plan contained comprehensive requirements for\nimplementing an effective interagency coordination program, as detailed\nbelow, such a program has not been established within the Department.\nIMSS officials did not ensure that components\xe2\x80\x99 headquarters and field offices\ndeveloped lists of current federal and interagency liaisons and memoranda of\nunderstanding associated with CIP. The Department did not establish a\nmethod for ensuring coordination between the various Department entities\nand liaisons with outside organizations related to critical infrastructure\nprotection. Components did not forward to the IMSS lists of liaisons and\nrelationships. Consequently, the centralized database of liaisons and\nrelationships was not created and maintained, nor was any entity within the\nDepartment serving as the focal point for all liaisons and relationships\npertaining to CIP. A working group, or other means of communication, was\n\n\n\n                                     - viii -\n\x0cnot established to ensure that information is effectively shared between\nDepartment components having interagency relationships and liaisons.\n\n     Without such a program for interagency coordination, the Department\ncannot ensure that information will be accessible from Department assets\nwhen needed.\n\nResource and Organizational Requirements\n\n       The Department\xe2\x80\x99s CIP Plan required identification of the resources and\norganization necessary to protect critical assets. This was to be\naccomplished largely through the efforts of the CIP Task Force. Although we\nfound that the CIP Task Force did not fully carry out the responsibilities in\nthis area of the CIP Plan, the Department has undertaken some efforts to\nensure its resource and organizational requirements are adequately\nidentified. However, full implementation of the CIP Plan has not been\nachieved. Studies contracted for by JMD done in lieu of studies by the CIP\nTask Force have not assessed the linkage between budgetary and personnel\nshortfalls and the Department\xe2\x80\x99s critical infrastructure weaknesses. We\nconcluded that completion of this activity is crucial to the Department\xe2\x80\x99s\nefforts to ensure that its resource and organization requirements have been\nmet.\n\nRecruiting, Educating, and Awareness\n\n      The Department\xe2\x80\x99s 1999 CIP Plan recognized the need to recruit, retain,\nand educate both Department and contractor personnel in the areas of\nphysical and information security. The Plan called for the completion of\nvarious programs to ensure that these needs were met. Some of these\nprograms have been fully accomplished. For example, on April 15, 2003,\nthe Department implemented a departmentwide initiative to provide\ncomputer security awareness training. However, we found that the\nrecruitment and retention program called for in the Plan was not fully\nimplemented and, as a consequence, the Department lacks assurance that it\nhas been able to attract and retain the best possible CIP staff.\n\nFollow-up on Prior Audit\n\n      In our November 2000 report on \xe2\x80\x9cDepartment Critical Infrastructure\nProtection \xe2\x80\x93 Planning for the Protection of Computer Based Infrastructure,\xe2\x80\x9d\nwe found that the Department had not yet: 1) identified all of its\nmission-essential assets, 2) assessed the vulnerabilities of each critical\nasset, 3) developed remedial action plans for identified vulnerabilities, or\n\n\n                                    - ix -\n\x0c4) developed a multi-year funding plan for reducing vulnerabilities. During\nthis current audit, we tested follow-up actions taken regarding these\nrecommendations. We found that the IMSS had completed some of the\nrequired corrective actions. However, further work is required regarding the\nMEI inventory, plans to address weaknesses identified in vulnerability\nassessments, and development of a multi-year funding plan for the\nremediation of vulnerabilities.\n\nSummary\n\n       By May 2003 all federal agencies were required to achieve and\nmaintain the ability to protect our nation\xe2\x80\x99s critical infrastructures from\nintentional acts that would significantly diminish their ability to perform\nessential national security missions and ensure general public health and\nsafety. While the Department has activities planned and in-progress to help\nit reach this full operating capability, some of those plans lack completion\ndates. Absent those dates, there is no assurance that the Department will\never reach full operating capability. As described above, the Department did\nnot reach full operating capability by May 2003 as required, and as a\nconsequence the Department\xe2\x80\x99s critical infrastructures remain at risk.\n\nRecommendations\n\n      Our Report contains 26 recommendations to help improve the\nDepartment\xe2\x80\x99s efforts to manage critical infrastructure protection. These\ninclude recommending that the Department:\n\n  \xe2\x80\xa2   develop a risk mitigation tracking system for the inventory of classified\n      mission-essential infrastructure systems;\n\n  \xe2\x80\xa2   develop a multi-year funding plan based on resources required to\n      mitigate vulnerabilities as identified in the Plans of Actions and\n      Milestones;\n\n  \xe2\x80\xa2   develop contingency plans for all critical IT assets;\n\n  \xe2\x80\xa2   test contingency plans periodically as required by Department Order\n      2640.2D;\n\n  \xe2\x80\xa2   compile a list of links, relationships, and contacts with other federal\n      agencies and other entities (foreign governments, state and local\n      agencies, and the private sector); and\n\n\n\n                                      -x-\n\x0c\xe2\x80\xa2   contact external entities to determine whether any Department assets\n    are critical to their missions.\n\n\n\n\n                                 - xi -\n\x0c                               TABLE OF CONTENTS\n\n\nBACKGROUND .................................................................................... 1\n               A. The Department\xe2\x80\x99s Management of Critical Information\n                     Technology Assets ................................................ 3\n               B. Framework for Assessing Adequacy of CIP Program... 5\n               C. Prior Office of the Inspector General Reports ............ 8\n               D. General Accounting Office Reports ........................ 10\n\nFINDINGS AND RECOMMENDATIONS ................................................... 12\n\nFINDING 1: ESTABLISHING A RISK MITIGATION PROGRAM ................... 12\n               A. Vulnerability Assessments and Risk\n                   Mitigation.......................................................... 12\n               B. Progress Toward Mitigating Program\n                   Vulnerabilities .................................................... 14\n               C. Progress Toward Mitigating Critical IT Asset\n                   Vulnerabilities .................................................... 23\n               D. Conclusions ....................................................... 32\n               E. Recommendations .............................................. 33\n\nFINDING 2: ESTABLISHING AN EMERGENCY MANAGEMENT PROGRAM .... 35\n               A. Department Efforts to Establish an Emergency\n                   Management Program for the Protection of Critical\n                   Infrastructure Assets .......................................... 35\n               B. Implementation of the Emergency Management\n                   Program ........................................................... 37\n               C. Overall Causes for and Effect of Not Fully\n                   Implementing an Emergency Management Plan ...... 46\n               D. Conclusions ....................................................... 46\n               E. Recommendations .............................................. 48\n\nFINDING 3: ESTABLISHING AN EFFECTIVE INTERAGENCY\nCOORDINATION PROGRAM ................................................................. 50\n               A. Importance of Establishing an Effective\n                   Interagency Coordination Program........................ 50\n               B. CIP Plan Requirements for Establishing an\n                   Effective Interagency Coordination Program ........... 51\n               C. An Interagency Coordination Program as\n                   Envisioned in the CIP Plan Was Not Implemented ... 52\n               D. Reasons Why an Effective Interagency\n                   Coordination Program Was Never Established......... 52\n\x0c                    E.   Conclusions ....................................................... 58\n                    F.   Recommendations .............................................. 59\n\nFINDING 4: MEETING DEPARTMENT RESOURCE AND\nORGANIZATIONAL REQUIREMENTS ..................................................... 60\n              A. Requirement in the CIP Plan ................................ 60\n              B. Implementation of the CIP Plan for Resource and\n                  Organizational Requirements .............................. 61\n              C. Recommendation ............................................... 63\n\nFINDING 5: ESTABLISHING EFFECTIVE RECRUITING, EDUCATING\nAND AWARENESS PROGRAMS............................................................. 64\n               A. Planned Programs .............................................. 64\n               B. Recruitment ..................................................... 65\n               C. Education and Training........................................ 65\n               D. Awareness ........................................................ 66\n               E. Recommendation ............................................... 67\n\nFINDING 6: FOLLOW-UP ON THE PRIOR OIG AUDIT OF DEPARTMENT\nCRITICAL INFRASTRUCTURE PLANNING FOR THE PROTECTION OF\nCOMPUTER BASED INFRASTRUCTURE .................................................. 68\n               A. Inventory the Department\xe2\x80\x99s MEI........................... 69\n               B. Complete Vulnerability Assessments of the\n                  Department\xe2\x80\x99s MEI by December 31, 2000 .............. 69\n               C. Remedial Plans to Address Weaknesses Identified\n                  by the Vulnerability Assessments.......................... 70\n               D. Multi-Year Funding Plan for the Remediation\n                  of Vulnerabilities ................................................ 70\n\nAPPENDIX 1        OBJECTIVES, SCOPE, AND METHODOLOGY .................... 71\n\nAPPENDIX 2        ABBREVIATIONS AND ACRONYMS................................. 73\n\nAPPENDIX 3        STATEMENT ON COMPLIANCE WITH LAWS AND\n                  REGULATIONS ........................................................... 75\n\nAPPENDIX 4        STATEMENT ON MANAGEMENT CONTROLS..................... 76\n\nAPPENDIX 5        DEPARTMENT OF JUSTICE\xe2\x80\x99S COMPUTER-BASED\n                  MINIMUM ESSENTIAL INFRASTRUCTURES...................... 77\n\nAPPENDIX 6        CRITICAL ASSET DESCRIPTIONS .................................. 78\n\x0cAPPENDIX 7    PCIE/ECIE DESCRIPTION ............................................. 83\n\nAPPENDIX 8    THE TWELVE CRITICAL IT ASSET VULNERABILITIES ........ 84\n\nAPPENDIX 9    FLOW OF INFORMATION WITH THE DEPARTMENT OF\n              STATE AND US CUSTOMS ............................................ 90\n\nAPPENDIX 10   DEPARTMENT ENTITIES THAT HAD CIP TASK FORCE\n              MEMBERS.................................................................. 91\n\nAPPENDIX 11   JMD\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT ...................... 92\n\nAPPENDIX 12   OIG, AUDIT DIVISION ANALYSES AND SUMMARY OF\n              ACTIONS NECESSARY TO CLOSE REPORT .....................101\n\x0c                                   BACKGROUND\n\n      According to the July 2002 Office of Homeland Security\xe2\x80\x99s,\n\xe2\x80\x9cNational Strategy for Homeland Security,\xe2\x80\x9d terrorists may seek to cause\nwidespread disruption and damage, including casualties, by attacking\nelectronic and computer networks which are linked to other critical\ninfrastructures. Terrorist groups exploit new information technology and the\nInternet to plan attacks, raise funds, spread propaganda, collect information,\nand communicate securely. Cyber attacks are anticipated to become an\nincreasingly significant threat as terrorists further develop their technical\ncapabilities and become more familiar with potential targets.\n\n       The February 2003 Office of Homeland Security\xe2\x80\x99s National Strategy to\nSecure Cyberspace indicates that a spectrum of malicious actors can and do\nconduct attacks against our critical information infrastructures.7 Of primary\nconcern is the threat of organized cyber attacks capable of causing\ndebilitating disruption to the nation\xe2\x80\x99s critical infrastructures, economy, or\nnational security. The required technical sophistication to carry out such an\nattack is high and partially explains the lack of a debilitating attack to date.\nHowever, there have been instances where attackers have exploited\nvulnerabilities that may be indicative of more destructive capabilities.\n\n        According to the National Plan for Information Systems Protection, the\nthreat is that a group or nation hostile to the United States will seek to\n"inflict economic damage, disruption and death, and degradation of our\ndefense response" by attacking our critical infrastructure. Presidential\nDecision Directive 63 (PDD 63) requires that the Department of Justice\xe2\x80\x99s\n(Department) critical infrastructure protection plans include an inventory of\nthe Department\'s mission-essential assets, an assessment of each asset\'s\nvulnerabilities, and plans to remediate those vulnerabilities.\n\n       The terrorist attacks of September 11, 2001, prompted the\nAttorney General to make counterterrorism the Department\xe2\x80\x99s highest\npriority. The Department reflected this new priority in its Strategic Plan for\nFiscal Years 2001 \xe2\x80\x93 2006, which was issued in November 2001. In the\nStrategic Plan, the Attorney General recognized that in the fight against\nterrorism, the Department would need to improve the integrity and security\nof computer systems and make more effective use of information\ntechnology.\n\n\n\n       7\n           On March 1, 2003, the Department of Homeland Security (DHS) was created, and\nall of the functions and duties of the Office of Homeland Security were transferred to it. The\nNational Strategy to Secure Cyberspace is an implementing component of the National\nStrategy of Homeland Security.\n\n                                            -1-\n\x0c       PDD 63 issued in May 1998 called for a national effort to assure the\nsecurity of the nation\xe2\x80\x99s critical infrastructure. The critical infrastructure\nconsists of physical and computer-based systems essential to the minimum\noperations of the economy and government. This includes, but is not limited\nto telecommunications, banking and finance, energy, transportation, and\nessential government services. The minimum essential infrastructure (MEI)\nis the framework of critical organizations, personnel, systems, and facilities\nthat are absolutely required in order to provide the inputs and outputs\nnecessary to support the core processes essential to accomplishing an\norganization\xe2\x80\x99s core mission as they relate to national security, national\neconomic security, or continuity of government services.\n\n       PDD 63 requires that agencies take measures to eliminate any\nsignificant vulnerability to both physical and cyber attacks on the nation\xe2\x80\x99s\ncritical infrastructures. Each federal department and agency was required to\nprepare a plan for protecting its own critical infrastructure, including an\ninventory of the department\xe2\x80\x99s or agency\xe2\x80\x99s mission-essential assets and an\nassessment of the vulnerabilities of those essential assets.\n\n       Under PDD 63, by December 2000 departments and agencies were to\nhave assessed information system vulnerabilities and adopted a multi-year\nfunding plan to remedy the vulnerabilities. By May 2003, departments and\nagencies were to have achieved \xe2\x80\x9cfull operating capability.\xe2\x80\x9d The National Plan\nfor Information Systems Protection, Version 1.0, issued by the Critical\nInfrastructure Assurance Office (CIAO), describes full operating capability as\nthe ability to ensure that any interruption or manipulation of critical\nfunctions is \xe2\x80\x9cbrief, infrequent, manageable, geographically isolated, and\nminimally detrimental to the welfare of the United States.\xe2\x80\x9d The Draft Critical\nInfrastructure Protection (CIP) Plan indicates that full operating capability for\nthe Department is comprised of:\n\n   \xe2\x80\xa2   identifying the MEI, interdependencies, vulnerabilities, and developing\n       plans to address the vulnerabilities;\n\n   \xe2\x80\xa2   detecting attacks and unauthorized intrusions;\n\n   \xe2\x80\xa2   sharing attack warning and information in a secure and timely\n       manner; and\n\n   \xe2\x80\xa2   responding to attacks, and reconstituting and recovering assets that\n       were subject to attacks.\n\n\n\n\n                                      -2-\n\x0cA. The Department\xe2\x80\x99s Management of Critical Information Technology\n   Assets\n\n      The Justice Management Division (JMD) develops, promulgates, and\nreviews implementation of departmentwide policies, standards, and\nprocedures for the management of automated information processing\nresources. Within JMD, the Chief Information Officer (CIO) has oversight\nresponsibility for the implementation of CIP within the Department. Within\nthe Office of the CIO, the Information Technology Security Staff (ITSS) has\nprimary responsibility for critical infrastructure planning and\nimplementation.8\n\n       The ITSS was established within the Office of the CIO in May 2003,\nand its 14-member staff is responsible for developing and implementing\npolicies and procedures for IT investment management and information\nsystems security programs. Prior to May 2003 the responsibilities now\nmanaged by the ITSS were managed by the IMSS. With the change of\nname in May 2003, the ITSS retained the prior staff of the IMSS and the\nprior IMSS\xe2\x80\x99s responsibilities for oversight of the CIP program. In addition,\nthe ITSS gained responsibility from JMD Computer Services Staff (CSS) for\nmanaging the Department of Justice Computer Emergency Response Team\n(DOJCERT). The DOJCERT assists component organizations with incident\nhandling and resolution, and it is the centralized reporting entity for the\nDepartment. All components are required to report incidents to the\nDOJCERT. The DOJCERT issues any necessary alerts to components and\nexternal agencies.\n\n      Within the Department, critical infrastructure protection is a shared\nresponsibility among JMD and various component organizations. Each\ncomponent aids the IMSS in identifying its MEI, developing remediation and\nfunding plans, and ensuring the implementation of the plans. JMD is\nresponsible for coordinating the departmentwide effort and ensuring that the\ncomponents comply with applicable requirements.\n\n      In our November 2000 report on \xe2\x80\x9cDepartment Critical Infrastructure\nProtection \xe2\x80\x93 Planning for the Protection of Computer Based Infrastructure,\xe2\x80\x9d\nwe stated that as required by PDD 63, JMD submitted the Department\xe2\x80\x99s\n\n      8\n          Prior to September 11, 2002, JMD Security and Emergency Planning Staff (SEPS)\nhad oversight for information technology (IT) security for the classified systems of the\nDepartment and Information Management and Security Staff (IMSS) had oversight for the\nsensitive but unclassified (SBU) systems. Since that time, the CIO is responsible for\noverseeing and implementing security policy and practices for both National Security\nInformation (NSI) and SBU systems. The standards, procedures, and guidelines are\ncoordinated with the Department\xe2\x80\x99s Security Officer.\n\n\n\n                                          -3-\n\x0cinitial critical infrastructure plan to the CIAO in November 1998 (November\n1998 Plan). In January 1999, the Expert Review Team returned the results\nof its review and asked the Department to revise the plan accordingly.9 The\nDepartment addressed some of the Expert Review Team\xe2\x80\x99s comments and\nsubmitted its revised plan to the CIAO in April 1999.\n\n      In response to the Department\xe2\x80\x99s new priorities following\nSeptember 11, 2001, JMD made changes in its strategic priorities and\nbusiness practices. Among these changes, JMD issued guidance that there\nwould be an equal emphasis on the protection of critical assets, whether\nphysical, personnel, or cyber-based. A revalidated MEI was completed\nDecember 2002. The revalidation process incorporated the change in\nemphasis on physical assets and personnel, a 72-hour loss criteria\ndeveloped by the CIAO, and changes in the goals and strategic objectives in\nthe Department\xe2\x80\x99s Strategic Plan.\n\n      The Department\xe2\x80\x99s MEI has evolved over time as a result of policy\nchanges and JMD\xe2\x80\x99s refinement of its inventory of critical assets. The\nDecember 2002 version of the MEI consists of 21 systems from three\nDepartment components \xe2\x80\x93 the Drug Enforcement Agency (DEA), Federal\nBureau of Investigation (FBI), and JMD. By contrast, the January 2001\nversion of the MEI consisted of 20 systems from those same components\nand the Immigration and Naturalization Service (INS). Both inventories are\ncontained in Appendix 5 of this report. When the MEI was revalidated in\nDecember 2002, eight assets were removed from the January 2001 version,\nand nine others were added. During the period of our review, the IMSS, at\nvarious times, had CIP oversight responsibilities for 29 critical assets.10\n\n\n\n\n       9\n          PDD 63 created an interagency Expert Review Team. The Expert Review Team\nreviewed and commented on agency plans in accordance with a set of essential plan\nelements to ensure quality, continuity, and effective implementation of agency plans to\nprotect critical infrastructures.\n       10\n           During the course of our audit, the Bureau of Alcohol, Tobacco, Firearms, and\nExplosives (ATF) joined the Department of Justice and the INS transferred to the DHS. The\nCIP efforts that we evaluated did not include any CIP efforts associated with the ATF, except\nas noted on page 23.\n\n\n\n                                           -4-\n\x0cB. Framework for Assessing Adequacy of CIP Program\n\n       In 1999 the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE)\ninitiated a governmentwide review of the nation\xe2\x80\x99s critical infrastructure\nassurance program.11 The review is being completed in four phases. The\nobjective of the Phase 1 review was to assess the adequacy of the agency\nplanning and assessment activities for protecting critical cyber-based\ninfrastructures. The objective of Phase 2 was to assess the adequacy of\nagency implementation activities for protecting their critical cyber-based\ninfrastructure. In Phase 3 we assessed the adequacy of agency planning\nand assessment activities for protecting the Department\xe2\x80\x99s critical noncyber-\nbased infrastructures. The objective of Phase 4 will be to assess the\nadequacy of implementation activities for protecting noncyber-based\ninfrastructures. In the Department, we previously completed audits for\nPhases 1 and 3.12 This audit is performed as part of Phase 2 of the PCIE\neffort.\n\n       During Phase 1, we reviewed the adequacy of Department plans, asset\nidentification efforts, and initial vulnerability assessments. Over\n20 Inspectors General conducted similar audits in their own agencies as part\nof an effort sponsored by the PCIE. The Phase 1 report, issued November\n2000, stated that the Department had submitted its initial critical\ninfrastructure protection plan to the CIAO as required. The Phase 1 report\nalso stated that the Department revised its initial plan according to\ncomments received from an Expert Review Team.\n\n      Our Phase 1 audit assessed the Department\xe2\x80\x99s compliance with the\nfollowing requirements:\n\n   \xe2\x80\xa2   development of a CIP Plan;\n\n   \xe2\x80\xa2   Expert Review Team Review;\n\n   \xe2\x80\xa2   appointment of a Chief Infrastructure Assurance Officer;\n\n   \xe2\x80\xa2   identification of cyber-based MEI;\n\n\n       11\n          The PCIE, comprising all Presidentially-appointed Inspectors General, coordinates\ninteragency and intra-entity audit, inspections, and investigations dealing with\ngovernmentwide issues of waste, fraud, and abuse. See Appendix 7 for more details on the\nPCIE.\n       12\n         The PCIE/ECIE (Executive Council on Integrity and Efficiency) delayed the Phase 2\nReview until after Phase 3 to allow agencies sufficient time to implement their CIP\nprograms.\n\n                                           -5-\n\x0c   \xe2\x80\xa2   vulnerability assessments;\n\n   \xe2\x80\xa2   risk mitigation plans to stem potential damage from each vulnerability;\n\n   \xe2\x80\xa2   establishment of an emergency management program;\n\n   \xe2\x80\xa2   incorporation of critical infrastructure into strategic planning and the\n       performance measurement framework;\n\n   \xe2\x80\xa2   identification of resource and organizational requirements;\n\n   \xe2\x80\xa2   development of a program to ensure that the Department has the\n       personnel and skills necessary to implement a sound infrastructure\n       protection program; and\n\n   \xe2\x80\xa2   establishment of effective CIP coordination with other applicable\n       entities (foreign, state and local governments, and private industry).\n\n       Asset identification efforts are the Department\xe2\x80\x99s measures employed\nto identify its MEI. The Department\xe2\x80\x99s CIP Plan indicated that the\nmethodology to identify its MEI was to create a rank-ordered list of assets\nincluding a brief description of the asset, location, specific mission-based\ncriteria used to identify the asset, estimated replacement costs, planned life\ncycle, and a brief statement as to the potential impact of the asset not being\navailable.\n\n      A vulnerability assessment is a systematic examination of the ability of\na system or application, including current security procedures and controls,\nto withstand assault. Agencies use vulnerability assessments to identify\nweaknesses that could be exploited and to predict the effectiveness of\nadditional security measures in protecting critical assets from attack. The\noutcome of the assessment is a list of flaws or omissions in controls that\nmay affect the integrity, confidentiality, accountability, and availability of\nresources that are essential to critical assets.\n\n       In Phase 2 of the governmentwide PCIE review, the subject of this\nreport, we audited the adequacy of implementation activities for protecting\ncritical cyber-based infrastructures. Specifically, we assessed the adequacy\nof agency activities in the following areas: 1) risk mitigation;\n2) emergency management; 3) interagency coordination; 4) resource and\norganizational requirements; and 5) recruitment, education, and awareness.\n\n      Risk mitigation involves the selection and implementation of security\ncontrols to reduce risk to a level acceptable to management. Risk mitigation\nfollows the Department\xe2\x80\x99s identification of critical assets and performance of\n\n                                       -6-\n\x0ca vulnerability assessment that identifies weaknesses that could be\nexploited.\n\n      The goal of the emergency management program is to minimize the\nknown vulnerabilities associated with the most critical asset and\ninfrastructure dependencies in an expeditious and cost-effective manner,\nand to permit the operations of critical functions in the event of disruptions.\nThe emergency management program should include such items as\nindications and warnings (of an attack), incident collection, reporting and\nanalysis, response and continuity-of-operation plans, and plans to\nreconstitute minimum required capabilities following a successful attack.\n\n       Interagency coordination is important because many federal\ngovernment programs rely on the resources of other government agencies\nto fulfill their missions. Because of such reliance, the Department should\nidentify and characterize the level to which Department assets provide\nsupport to other government agencies. Additionally, it is necessary to\nidentify liaisons, and the nature of the coordination link between the entities.\n\n       Recruitment refers to the Department\xe2\x80\x99s efforts to acquire highly skilled\ninformation technology (IT) security personnel to implement the CIP\nprogram. Education, training, and awareness are also necessary to the\nsuccessful implementation of any information security program. These three\nelements are related, but the elements involve distinctly different levels of\nlearning. Training is geared to understanding the security aspects of the\nparticular IT systems and applications that the individual uses. Education\ndiffers from training in both breadth and depth of knowledge and skills\nacquired. Security education, including formal courses and certification\nprograms, is most appropriate for an organization\xe2\x80\x99s designated security\nspecialists. Awareness is not training but is a prerequisite to it. The\npurpose of an awareness program is to focus attention on security.\nAwareness provides a baseline of security knowledge for all users, regardless\nof job duties or position.\n\n        In our Phase 3 report, issued November 2001, we reviewed the\nadequacy of the Department\xe2\x80\x99s planning and assessment activities for\nprotecting its critical noncyber-based infrastructures. Specifically, we\nassessed the adequacy of agency plans, asset identification efforts, and\ninitial vulnerability assessments of personnel and physical assets. The\nreport indicated that the Department had not yet: 1) adequately identified\nall of its mission essential assets, 2) assessed the vulnerabilities of each of\nits systems, 3) developed remedial action plans for identified vulnerabilities,\nand 4) developed a multi-year funding plan for reducing vulnerabilities.\n\n       Phase 4, if pursued, will target the adequacy of implementation\nactivities for protecting critical noncyber-based infrastructures. Specifically,\n                                      -7-\n\x0cit will review the adequacy of agency activities in the following areas: risk\nmitigation; emergency management; interagency coordination; resource and\norganizational requirements; and recruitment, education and awareness.\n\nC. Prior Office of the Inspector General Reports\n\n      We have recently performed two types of audits relevant to the\nDepartment\xe2\x80\x99s management of critical infrastructure. These audits are:\n1) program audits of JMD\xe2\x80\x99s CIP management efforts and 2) computer\nsecurity audits performed pursuant to the Government Information Security\nReform Act (GISRA).13\n\n1. Program Audits\n\n      In our November 2000 report on \xe2\x80\x9cDepartment Critical Infrastructure\nProtection \xe2\x80\x93 Planning for the Protection of Computer Based Infrastructure,\xe2\x80\x9d\nwe found that the Department had not yet: 1) identified adequately all of its\nmission-essential assets, 2) assessed the vulnerabilities of each critical\nasset, 3) developed remedial action plans for identified vulnerabilities, and\n4) developed a multi-year funding plan for reducing vulnerabilities. As a\nresult, the Department\xe2\x80\x99s ability to perform certain vital missions was at risk\nfrom terrorist attacks or similar threats.\n\n      Specifically, the Department\xe2\x80\x99s identification of mission-essential assets\ndid not meet the intent of PDD 63 because it did not include personnel,\ninterdependencies, and a complete list of facilities. Further, the\nmethodology used did not link the MEI to those Department missions\nabsolutely necessary to national security, national economic security, or the\ncontinuity of government services, and it did not document the criteria used\nto select each asset.\n\n      Additionally, in our November 2000 report, we noted that the\nDepartment decided not to fund an adequate vulnerability assessment. The\nvulnerability assessment included in a draft plan differed from the\nassessment plan in the previous version. The draft plan was based on a\nframework sponsored by the CIAO and reviewed by the Expert Review\nTeam, two organizations outside of the Department with responsibility for\nimplementing PDD 63. The revised vulnerability assessment was based on a\nreview of past audits, compliance reviews, and assessments. As a result,\nthe Department had not developed an inventory of flaws or omissions in\n\n      13\n          Beginning in November 2000, GISRA required the Office of the Inspector General\n(OIG) to perform independent evaluations of the Department\xe2\x80\x99s information security program\nand practices. Beginning in FY 2003, these audits are now being conducted under the\nprovisions of Federal Information Security Management Act of 2002.\n\n\n\n                                         -8-\n\x0ccontrols (vulnerabilities) that may affect the integrity, confidentiality,\naccountability, and availability of resources that are essential to critical\nassets.14 Department officials said that vulnerability assessments would be\nperformed as part of a certification and accreditation (C&A) process as\nordered by the Assistant Attorney General for Administration.15\n\n      In our November 2001 report on \xe2\x80\x9cDepartment Critical Infrastructure\nProtection \xe2\x80\x93 Planning for the Protection of Physical Infrastructure,\xe2\x80\x9d we found\nthat the Department had not yet: 1) adequately identified its physical MEI,\n2) ensured that complete vulnerability assessments of all of its physical\nmission-essential assets have been performed, 3) developed plans to\nremediate weaknesses identified in the vulnerability assessments of its\nphysical MEI, and 4) developed a multi-year funding plan for reducing\nvulnerabilities. While the Department initially disagreed with the results of\nthis audit, in May 2003 JMD agreed to carry out the recommended corrective\naction.\n\n2. GISRA Audits16\n\n      For FY 2001, we audited the security of four classified and five SBU\ncomputer systems. We issued two separate reports consolidating our\nresults, one for unclassified systems and one for classified systems.17 The\nreport on SBU systems was issued without recommendations. Both reports\nstated that the Department did not adequately:\n\n   \xe2\x80\xa2   identify and assess risks to determine needed security measures,\n\n\n       14\n          In Finding 6 of this report, we provide an assessment of JMD\xe2\x80\x99s corrective actions\nwith regard to the findings of our November 2000 report.\n       15\n          Certification consists of a technical evaluation of a sensitive application to see how\nwell it meets security requirements. Accreditation is the official management authorization\nfor the operation of the application and is based on the certification process as well as other\nmanagement considerations.\n       16\n           In fulfilling its FY 2002 GISRA review requirements, the OIG reported on both\nclassified and SBU systems in its \xe2\x80\x9cIndependent Evaluation Pursuant to the Government\nInformation Security Reform Act Fiscal Year 2002 Consolidated Report,\xe2\x80\x9d Report Number\n03-19. The report is a classified document and has not been released publicly.\n       17\n          The report for the unclassified systems is \xe2\x80\x9cSummary of the Independent\nEvaluation Pursuant to the Government Information Security Reform Act, Fiscal Year 2001\nSensitive But Unclassified Systems,\xe2\x80\x9d Report Number 02-18. The report for the classified\nsystems is \xe2\x80\x9cSummary of the Independent Evaluation Pursuant to the Government\nInformation Security Reform Act, Fiscal Year 2001 Classified Systems,\xe2\x80\x9d Report Number\n02-21.\n\n\n\n                                             -9-\n\x0c  \xe2\x80\xa2   establish and implement policies and controls to meet those needs,\n\n  \xe2\x80\xa2   promote awareness so that users understand the risks and the related\n      policies and controls required to mitigate them, or\n\n  \xe2\x80\xa2   monitor and evaluate established policies and controls to ensure that\n      the policies and procedures were both appropriate and effective.\n\nThree of the five SBU systems tested had one or more of the following\nvulnerabilities related to contingency planning.\n\n  \xe2\x80\xa2   Restoration priorities were not identified and an interagency\n      agreement did not exist for the alternative processing site.\n\n  \xe2\x80\xa2   Contingency plans were not properly reviewed or approved.\n\n  \xe2\x80\xa2   Contingency plans were not tested.\n\n  \xe2\x80\xa2   Contingency plan training was not conducted.\n\nD. General Accounting Office Reports\n\n      The General Accounting Office (GAO) has conducted several reviews of\nCIP-related efforts within the government. The following reports are among\nits most recent in areas related to CIP.\n\n       In a January 2003 report titled \xe2\x80\x9cProtecting Information Systems\nSupporting the Federal Government and the Nation\xe2\x80\x99s Critical Infrastructures\xe2\x80\x9d\n(GAO-03-121), the GAO noted cyber CIP as a high-risk area because, in\npart, terrorist groups and others have stated their intentions of attacking\ncritical infrastructures. Failure to adequately protect these infrastructures\ncould adversely affect national security, economic security, and/or public\nhealth and safety. The GAO acknowledged that improvements are\nunderway. The GAO reported that recent audits of 24 of the largest\nagencies continue to identify significant information security weaknesses\nthat put critical federal operations and assets in each of these agencies at\nrisk.\n\n       In an October 2001 report titled \xe2\x80\x9cInformation Sharing \xe2\x80\x93 Practices that\nCan Benefit Critical Infrastructure Protection\xe2\x80\x9d (GAO-02-24), the GAO noted\nthat information sharing and coordination among organizations are central to\nproducing comprehensive and practical approaches and solutions to\ncombating computer-based threats. The GAO indicated that trust is the\nessential underlying element to successful information-sharing relationships.\nThe GAO identified three other critical factors for successful information-\nsharing relationships:\n                                    - 10 -\n\x0c  \xe2\x80\xa2   establishing effective and appropriately secure communication\n      mechanisms (such as regular meetings and secure websites),\n\n  \xe2\x80\xa2   obtaining support of senior managers at member organizations\n      regarding the sharing of potentially sensitive member information and\n      the commitment of resources, and\n\n  \xe2\x80\xa2   ensuring organization leadership continuity.\n\n      The GAO noted that one of the most difficult challenges was\novercoming organizations\xe2\x80\x99 initial reluctance to share information. Other\nchallenges included: 1) developing agreements on the use and protection of\nshared information, 2) obtaining adequate funding to cover the cost of items\nsuch as websites and meetings while avoiding seeking contributions intended\nprimarily to promote the interests of an individual organization,\n3) maintaining a focus on emerging issues of interest to members, and\n4) maintaining professional and administrative staff with appropriate skills.\n\n\n\n\n                                    - 11 -\n\x0c                  FINDINGS AND RECOMMENDATIONS\n\n1. ESTABLISHING A RISK MITIGATION PROGRAM\n\n       Our audit found that the IMSS had not established an effective\n       risk mitigation program.18 Regarding identified CIP program\n       vulnerabilities, IMSS staff indicated that mitigation actions were\n       progressing on schedule; however, we found that the IMSS did\n       not effectively manage the mitigation actions in that project\n       plans lacked key milestone dates and the IMSS did not provide\n       components sufficient time to provide required data for the\n       revalidation of the MEI. Regarding the mitigation of critical IT\n       system vulnerabilities, we found that progress plans to ensure\n       correction of identified security weaknesses were not adequately\n       prepared by the components to allow effective monitoring by the\n       IMSS. This problem occurred because of the short time given to\n       the components to respond and because the components did not\n       adequately respond to data requested by the IMSS for mitigation\n       plans. As a result, the Department has less than adequate\n       assurance that critical IT asset vulnerabilities will be mitigated\n       adequately or timely.\n\nA. Vulnerability Assessments and Risk Mitigation\n\n       The purpose of the vulnerability assessment is to provide the\nDepartment\xe2\x80\x99s Chief Infrastructure Assurance Officer with an overall\nassessment of the CIP program and the vulnerabilities associated with its\ncritical IT system assets.19 The Department\xe2\x80\x99s critical IT assets as they relate\nto CIP are also referred to as the Department\xe2\x80\x99s MEI.\n\n       The vulnerability assessment identifies the risks and vulnerabilities to\nthe Department\xe2\x80\x99s CIP program and its MEI systems and makes\nrecommendations to mitigate the identified risks. In addition, the funding\nlevel associated with IT security for each MEI asset and the overall program\nfunding level are identified. This allows the Department\xe2\x80\x99s CIO to make\ninformed decisions in support of the Department\xe2\x80\x99s ability to execute its\n\n       18\n           In May 2003, the CIO reorganized the information resource management function\nof the Office of the Chief Information Officer. The IMSS was renamed the Information\nTechnology Security Staff (ITSS).\n       19\n          The Chief Infrastructure Assurance Officer is responsible for the protection of all\naspects of that department\xe2\x80\x99s critical infrastructure other than information assurance. The\nCIO is responsible for information assurance. PDD 63 requires these officials to establish\nprocedures for obtaining expedient and valid authorities to allow vulnerability assessments\nto be performed on government computer and physical systems.\n\n                                            - 12 -\n\x0cmission and goals as those decisions relate to critical infrastructure\nprotection.\n\n      Upon completion of the vulnerability assessment, the Department\ncomponents develop remedial action plans to mitigate the exploitation and\nthe impact of any identified vulnerabilities against critical infrastructure\nassets until such time as the vulnerability can either be eliminated or\nreduced to an acceptable level. Remediation refers to those precautionary\nactions taken before undesirable events occur to reduce known deficiencies\nand weaknesses that could cause an outage or compromise a law\nenforcement infrastructure sector or critical asset. The precautions are\napplicable regardless of whether those events are acts of nature, technology,\nor through malicious intent. Remediation may include education and\nawareness, operational process or procedural change, system configuration\nchanges, or system component changes.\n\n      The remedial action plan should be system specific and at a minimum\ncontain the following information:\n\n   \xe2\x80\xa2   responsible office,\n\n   \xe2\x80\xa2   identification of vulnerability,\n\n   \xe2\x80\xa2   mission impact,\n\n   \xe2\x80\xa2   mitigation action,\n\n   \xe2\x80\xa2   long-term correction, and\n\n   \xe2\x80\xa2   estimated cost and milestones for recommended corrective measures.\n\n      Initially, a CIP Task Force was scheduled to complete the Department\nVulnerability Assessment by December 30, 1999, with approval by the Chief\nInfrastructure Assurance Officer on January 7, 2000.20 The IMSS staff could\nnot explain why the CIP Task Force stopped convening during calendar year\n2000, and the Task Force took no further action to complete the vulnerability\nassessments. JMD eventually completed the assessment in March 2002.\nThe completed vulnerability assessment identified a total of 16\nvulnerabilities, 4 of which pertained to the Department\xe2\x80\x99s overall CIP\nprogram, while the remaining 12 addressed risks in the 20 information\n\n       20\n          The Department\xe2\x80\x99s April 1999 CIP Plan provided that \xe2\x80\x9cA Critical Infrastructure\nProtection Task Force (CIPTF) will be responsible for CIP Plan development and\nimplementation within their respective components . . . .\xe2\x80\x9d The CIP Task Force was\ncomprised of representatives from law enforcement, litigating divisions, and administrative\noffices. See Appendix 10 for a list of points of contact for the CIPTF.\n\n                                          - 13 -\n\x0ctechnology systems identified in the Department\xe2\x80\x99s January 2001 MEI. For\nindividual vulnerabilities, an associated risk rating and the mitigating action\nfor eliminating the vulnerability or reducing the risk of the vulnerability to an\nacceptable level were identified.\n\n      Our audit work disclosed that the IMSS did not establish an effective\nDepartment risk mitigation program and that the IMSS\xe2\x80\x99s efforts to monitor\nmitigation actions were not effective. As a result, critical IT asset\nvulnerabilities may not be adequately or timely mitigated. The specific\nprogram and IT asset risk mitigation deficiencies we identified are discussed\nin the report sections that follow.\n\nB. Progress Toward Mitigating Program Vulnerabilities\n\n       JMD completed a vulnerability assessment in March 2002. JMD\nreviewed the management controls developed to implement the\nDepartment\xe2\x80\x99s CIP program and evaluated the controls against requirements\ncontained in reports and other documents from the GAO, the National\nCritical Infrastructure Assurance Office, and the\nGeneral Services Administration (GSA). The JMD review identified four\nindividual vulnerabilities associated with the program. The vulnerabilities\nare listed below and discussed in greater detail beginning in the following\ntext.\n\n   1. The CIP Plan was out of date and needed to be updated to incorporate\n      the implementation plan and the Department\xe2\x80\x99s new Strategic Plan.\n\n   2. The inventory of mission-essential assets required revalidation by\n      components after the events of September 11, 2001.\n\n   3. JMD needed to address the risk of not meeting the full operating\n      capability date of May 2003.\n\n   4. Seven of the mission-essential systems required an independent\n      evaluation.\n\n      Several items remain to be completed before the Department can\nreach full operating capability. In July 2002, IMSS officials indicated that\nmitigation action for all program vulnerabilities was progressing on target\nand would be completed on schedule. Our audit work initially found that the\nIMSS did not effectively manage the mitigation actions. Specifically, project\nplans were not developed and followed, and the IMSS did not provide\ncomponents sufficient time to provide required data for the revalidation of\nthe MEI.\n\n\n\n                                     - 14 -\n\x0c      We assessed the April 2003 draft CIP plan for project plans. We found\nthat while the IMSS/ITSS had completed project plans, those plans did not\ninclude milestone dates by which tasks were to be completed. Those plans\ndid not include completion dates for all tasks, and 54 of 73 tasks were not\ncompleted by May 2003. However, in our judgment four key tasks prevent\nthe Department from achieving full operating capability. The four tasks are:\n\n   \xe2\x80\xa2   development of contingency plans for systems without plans or\n       revision of inadequate plans (discussed in further detail in finding 2),\n\n   \xe2\x80\xa2   testing of the contingency plans (discussed in further detail in\n       finding 2),\n\n   \xe2\x80\xa2   incorporation of vulnerabilities into the Security Management and\n       Report Tool (SMART) database for tracking purposes (discussed later\n       within this finding),21 and\n\n   \xe2\x80\xa2   development of a SMART database for classified systems (discussed\n       later within this finding).\n\n(1) Program Vulnerability #1: Outdated CIP Plan\n\n      The March 2002 Vulnerability Assessment discussed the outdated CIP\nPlan as follows.\n\nVulnerability:    The CIP Plan is out of date and needs to be updated to incorporate\n                  the implementation plan and the Department\xe2\x80\x99s new Strategic Plan.\n      Threat:     All threats could exploit this vulnerability.\n  Discussion:     The current plan is over two years old and does not contain current\n                  information on the implementation of the Department\xe2\x80\x99s protection\n                  strategy. PDD 63 requires CIP Plans to be updated at least every\n                  two years. Justice Management Division has an informal\n                  implementation [plan] for the next phases of the protection\n                  strategy, but has not incorporated this plan into the overall\n                  Department CIP Plan.\n Risk Rating:     Low \xe2\x80\x93 Moderate\n   Mitigation     JMD will update the CIP Plan and will ensure it is in compliance with\n      Action:     the new Executive Orders and other Federal guidance on CIP. In\n                  addition, the Plan will map the MEI assets to the Department\xe2\x80\x99s new\n                  Strategic Plan. Estimated completion: December 2002\n       Source:   Justice Management Division\xe2\x80\x99s March 2002 Vulnerability Assessment\n\n\n\n       21\n           The SMART database is a set of user interface, database management, and\nbusiness intelligence tools designed to assist the Department CIO and program managers as\nwell as the security administrators in identifying, controlling, and monitoring the\nperformance of a component IT security program and its systems.\n\n\n\n                                            - 15 -\n\x0c       The Department\xe2\x80\x99s CIP Plan presents the broad direction for the\nDepartment\xe2\x80\x99s critical infrastructure assurance and provides the longer-range\ngoals, strategies, and performance indicators by which to measure progress\ntoward implementing a viable CIP program. Intended as a \xe2\x80\x9cliving\ndocument,\xe2\x80\x9d the CIP Plan provides a framework and continuing cycle of\nactivity for managing risk, developing security policies, assigning\nresponsibilities, and monitoring the adequacy of the Department\xe2\x80\x99s physical\nand cyber security controls. The Department\xe2\x80\x99s initial CIP Plan was prepared\nby JMD in November 1998. The Plan was revised in April 1999 to address\ncomments of prior reviews of the CIP program.\n\n       The March 2002 Vulnerability Assessment identified that the CIP Plan\nneeded updating to incorporate the next phases of the protection strategy\nand the Department\xe2\x80\x99s new strategic plan. The IMSS staff informed us that\nthe task of updating the Plan was assigned to a contractor. The contractor\nserves as an information technology security consultant to JMD and senior\nDepartment managers. Some of the tasks performed by the contractor\nrelating to the Department\xe2\x80\x99s vulnerability assessment include providing\ngeneral IT support to the IMSS, developing a comprehensive vulnerability\nassessment methodology, and researching and reporting on various methods\nof performing follow-up actions to ensure vulnerabilities or other issues\nidentified during the performance of vulnerability assessments have been\ncorrected. The contractor also performs other duties not related to the\nvulnerability assessment such as assisting in data entry for the SMART\ndatabase.\n\n      According to the March 2002 Vulnerability Assessment, the estimated\ncompletion date for updating the Plan was December 2002. A Draft CIP Plan\nwas completed April 21, 2003, and finalization was pending comments\nrequested on the plan from the Department of Homeland Security (DHS).\nIMSS officials indicated that they delayed completion of the new CIP Plan to\nincorporate guidance from the DHS\xe2\x80\x99s most recent draft of the\nNational Strategy to Secure Cyberspace.\n\n(2) Program Vulnerability #2: Revalidating MEI Assets after Events\n    of September 11, 2001\n\n      The March 2002 Vulnerability Assessment discussed revalidating MEI\nassets as follows.\n\n\n\n\n                                   - 16 -\n\x0cVulnerability:   MEI assets should be revalidated after the events of September 11,\n                 2001.\n      Threat:    All threats could exploit this vulnerability.\n  Discussion:    The Department\xe2\x80\x99s MEI assets were determined prior to the events\n                 of September 11, 2001. Although the Department did use the\n                 methodology as defined by the CIAO\xe2\x80\x99s office, the Department\n                 should revalidate the MEI inventory with the components and\n                 program managers to ensure all MEI assets are included and meet\n                 the CIAO\xe2\x80\x99s revised requirements. As an example, the CIAO\n                 introduced a 72-hour time requirement on the availability of an IT\n                 system; the system is not considered critical unless it\xe2\x80\x99s non-\n                 availability for 72 hours will prevent the Department from fulfilling\n                 its PDD 63 missions. Additionally, the INS and FBI have identified\n                 additional systems during the C&A process that have not been\n                 assessed relating to CIP activities.\n Risk Rating:    Moderate\n   Mitigation    JMD will explore the use of Project Matrix to assist the Department\n      Action:    in revalidating the MEI systems and critical assets.22 If Project\n                 Matrix is not used, JMD, using contractor support, will revalidate the\n                 Department\xe2\x80\x99s MEI IT assets. Justice Management Division will use\n                 the same approved methodology for the revalidation as was used\n                 for the initial selection of MEI along with new guidance identified by\n                 the CIAO\xe2\x80\x99s office. Estimated completion: November 2002\n       Source: Justice Management Division\xe2\x80\x99s March 2002 Vulnerability Assessment\n\n        Crucial to developing and implementing a CIP Plan is the identification\nof critical infrastructure assets. Within the Department, the critical\ninfrastructure is comprised of the computer systems, physical assets, and\npersonnel necessary for the Department to carry out its law enforcement\nand counterterrorism duties. In identifying the Department\xe2\x80\x99s critical\ncomputer systems, the CIP Task Force focused on internal and external\ncritical infrastructure components that are needed to protect or support\nsafety and health, law enforcement and national security, the Department\xe2\x80\x99s\nlitigation function, the administration of justice, and the Department\xe2\x80\x99s\nbusiness functions. Once the Department\xe2\x80\x99s critical infrastructure assets\nwere identified, the assets were listed in a consolidated MEI inventory.\n\n\n\n       22\n           Project Matrix is the name given to a method developed by the CIAO to assist\nfederal civilian departments and agencies to accomplish identification of critical functions\nand services and the assets and links necessary to perform that identification. Project\nMatrix provides an objective process to make the determination of national criticality by\nperforming standardized, systematic evaluation of an organization\xe2\x80\x99s functions and services\nand giving each a criticality score.\n\n                                           - 17 -\n\x0c      The Department\xe2\x80\x99s MEI inventory was identified in a joint effort\nbetween the components, SEPS, and IMSS using criteria based on guidance\nfrom the CIAO. The identification of the Department\xe2\x80\x99s minimum essential\ninfrastructure was completed and formally approved by the Assistant\nAttorney General for Administration on January 16, 2001. The completed\ninventory is comprised of three sections: 1) critical IT assets, 2) critical\nphysical assets, and 3) critical personnel assets. Prior to the INS transfer to\nthe DHS in March 2003, the MEI included 20 systems in the DEA, FBI, INS,\nand JMD.\n\n       Subsequent to the events of September 11, 2001, some requirements\nfor critical systems have been revised, and two components (the FBI and\nINS) have identified additional systems that have not been assessed relative\nto CIP activities. In view of these developments, JMD identified this as a\nprogram vulnerability in its March 2002 Vulnerability Assessment.\n\n       According to the March 2002 Vulnerability Assessment, the estimated\ncompletion date for revalidating MEI assets was November 2002. The IMSS\nstaff indicated that progress toward the completion date was satisfactory,\nand that components had a November 1, 2002, suspense date for submitting\ntheir updated MEIs to JMD. On October 7, 2002, we asked the IMSS staff\nfor a copy of the memorandum to the components establishing the\nNovember 1, 2002, suspense date. The Assistant Director of IMSS\nresponded by saying that the memorandum had not been sent and that the\ndraft was still on his desk. According to the contractor status reports, the\ncontractor had completed the draft by August 12, 2002. The IMSS staff said\nthe memorandum hadn\xe2\x80\x99t been mailed because of a shortage of staff.\nAlthough the memorandum was eventually sent to the components on\nOctober 11, 2002, this was hardly sufficient time for the components to\nupdate their MEIs and respond by the November 1, 2002, suspense date.\n\n      The revalidated MEI was completed in December 2002. Both the old\nand new MEI are contained in Appendix 5 of this report. Eight assets were\nremoved from the January 2001 MEI and an additional nine assets were\nadded. A description of the MEI assets is contained in Appendix 6. The\nassets removed from the MEI were:\n\nINS \xe2\x80\x93       Central Index System (CIS)\n            Enforcement Case Tracking System (ENFORCE)\n            Automated Biometric Identification System (IDENT)\n            Immigration and Naturalization Service\xe2\x80\x99s\n              Integrated National Communications System (INSINC)\n\n\n\n\n                                     - 18 -\n\x0cFBI \xe2\x80\x93        Criminal Justice Information System Wide Area Network\n               (CJIS WAN)\n             InfraGard\n             Intelligence Information System Network (IISNET)\n             Secure Automated Messaging Network (SAMNET)\n\n      The INS assets were removed in anticipation of the transfer of the INS\nto the DHS. The FBI assets were removed based on a determination that\nthe loss of those assets for 72 hours would not impede the Department from\nperforming its critical infrastructure protection duties.\n\n        The assets added to the MEI were:\n\nDEA \xe2\x80\x93        Centralized Data Intercept\n             Electronic File Room\n             Wide Area Network\n             GESCAN\n             Firebird nodes in Special Operations Division\n               (SOD) and Command Center\n\nFBI \xe2\x80\x93        Key Asset Database\n             Secure Radio System\n             Digital Storm Collection\n\nJMD \xe2\x80\x93        Metropolitan Area Network (MAN)\n\n      These assets were added to the MEI based on the revised\nrequirements for identifying critical systems.\n\n(3) Program Vulnerability #3: Risk of Not Meeting Full Operating\n    Capability by May 2003.\n\n     The March 2002 Vulnerability Assessment discussed the risk of not\nmeeting full operating capability as follows.\n\n\n\n\n                                        - 19 -\n\x0cVulnerability:     Risk of not meeting the Full Operating Capability date of May 2003.\n      Threat:      All threats could exploit this vulnerability.\n  Discussion:      PDD 63 requires that by May 2003 all Federal agencies achieve and\n                   maintain the ability to protect our nation\xe2\x80\x99s critical infrastructures\n                   from intentional acts that would significantly diminish its abilities to\n                   perform essential national security missions and ensure general\n                   public health and safety. This is referred to as \xe2\x80\x9cfull operating\n                   capability\xe2\x80\x9d in PDD 63. Any interruptions of these functions must be\n                   brief, infrequent, manageable, and minimally detrimental to the\n                   welfare of the United States. To achieve the full operating\n                   capability, the Department needs to be able to participate in\n                   information/intelligence sharing, respond to attacks, or reconstitute\n                   systems after successful attacks.\n Risk Rating:     Moderate\n   Mitigation     JMD will Coordinate with the Department\xe2\x80\x99s computer emergency\n      Action:     response team and components with MEI systems to ensure they\n                  have coordinated actions in the event of an attack. Justice\n                  Management Division will also coordinate with the components to\n                  ensure the contingency plans for critical IT assets are tested and\n                  kept up to date. The Department must address the vulnerabilities\n                  identified within the individual MEI system assets, and prioritize the\n                  vulnerabilities with greatest risks to the Department. Estimated\n                  completion: May 2003\n       Source: Justice Management Division\xe2\x80\x99s March 2002 Vulnerability Assessment\n\n      By May 2003 all federal agencies were to achieve and maintain \xe2\x80\x9cfull\noperating capability\xe2\x80\x9d to protect our nation\xe2\x80\x99s critical infrastructures from\nintentional acts that would significantly diminish its abilities to perform\nessential national security missions and ensure general public health and\nsafety. According to the Department\xe2\x80\x99s March 2002 Vulnerability\nAssessment, the estimated completion date for achieving full operating\ncapability was the same as the deadline identified in PDD 63, May 2003.\n\n      Officials of the IMSS indicated that there are four main aspects to\nattaining full operating capability:\n\n   \xe2\x80\xa2    relocating the DOJCERT to the newly established ITSS,\n\n   \xe2\x80\xa2    integrating the Department\xe2\x80\x99s CIP Plan with the planning efforts of the\n        National Infrastructure Protection Center (NIPC),23\n\n   \xe2\x80\xa2    increasing the reporting of incidents of infrastructure attacks\n        (as of October 2002, only the FBI reported incidents involving SBU\n        systems), and\n\n        23\n           The National Infrastructure Protection Center serves as a national critical\ninfrastructure threat assessment, warning, vulnerability, and law enforcement investigation\nand response entity.\n\n                                              - 20 -\n\x0c   \xe2\x80\xa2   completing an update to the CIP Plan.\n\n      The National Plan for Information Systems Protection, Version 1.0,\nissued by the CIAO, describes full operating capability as the ability to\nensure that any interruption or manipulation of critical functions is \xe2\x80\x9cbrief,\ninfrequent, manageable, geographically isolated, and minimally detrimental\nto the welfare of the United States.\xe2\x80\x9d The Draft CIP Plan indicates that full\noperating capability for the Department is comprised of:\n\n   \xe2\x80\xa2   identifying the MEI and interdependencies and identifying and\n       addressing their vulnerabilities,\n\n   \xe2\x80\xa2   detecting attacks and unauthorized intrusions,\n\n   \xe2\x80\xa2   sharing attack warning and information in a secure and timely manner,\n       and\n\n   \xe2\x80\xa2   responding to attacks and reconstituting and recovering assets that\n       were subject to attacks.\n\n       In April and May 2003, we sought to update the Department\xe2\x80\x99s status\nin achieving full operating capability. In addressing vulnerabilities identified\nfor the MEI, we noted that the incorporation of vulnerabilities into the\nSMART database for tracking purposes was incomplete since the database\nwas not set up to track vulnerabilities for classified systems. In assessing\nthe Department\xe2\x80\x99s ability to reconstitute and recover assets after an attack,\nwe noted that there were no dates provided for the development of\ncontingency plans for components without plans nor were dates provided for\nthe revision of inadequate plans. Additionally, no further guidance was\nprovided to require testing of the contingency plans. Generally, the IMSS\nstaff could not provide the status of this effort, schedules, or milestone dates\nfor completing the effort.\n\n       The Department did not reach full operating capability by May 2003 as\nrequired. However, the Department has activities planned and in progress\nto help it reach full operating capability. Some of those plans lack dates for\ncompletion. Absent those dates, there is no assurance that the Department\nwill complete those activities timely or reach full operating capability.\n\n(4) Program Vulnerability #4: Seven MEI Systems Have Not Been\n    Independently Evaluated\n\n      The March 2002 Vulnerability Assessment discussed independent\nevaluation of MEI systems as follows.\n\n                                     - 21 -\n\x0cVulnerability:   Seven of the MEI systems have not been independently evaluated\n                 and contain unknown system vulnerabilities.\n      Threat:    All threats could exploit this vulnerability.\n  Discussion:    Of the 20 MEI systems, 7 have not received an independent\n                 evaluation. The current assessments rely only on the program\n                 manager\xe2\x80\x99s assessment.\n Risk Rating:   Low\n   Mitigation   JMD will conduct IV&V [independent verification and validation] or\n      Action:   penetration testing for the systems that have not undergone any\n                independent evaluation. Two of the FBI systems (SAMNET and\n                InfraGard) will be evaluated by the FBI later this year [2002].\n                Three systems [DEA Model 204 (M204), Integrated Automated\n                Fingerprint ID System (IAFIS), and National Crime Information\n                Center System, (NCIC 2000)] are currently undergoing IV&V, and\n                the final two systems (ENFORCE, IDENT) will be scheduled for\n                review in late 2002 along with the two FBI systems. Estimated\n                completion date: January 2003\n       Source: Justice Management Division\xe2\x80\x99s March 2002 Vulnerability Assessment\n\n      Department of Justice Order 2640.2D requires components to ensure\nthe C&A of all systems under their operational control prior to being placed\ninto operation. Until an IT system is certified and accredited, no operational\ndata can be used for any purpose, including testing in pilot systems if live\ndata is used or if the pilot system is connected to a Department network.\n\n       For each classified system and for each SBU system the C&A includes:\n\n   \xe2\x80\xa2   preparing a system security plan;\n\n   \xe2\x80\xa2   performing a risk analysis to identify security risks, determine their\n       magnitude, and identify areas needing safeguarding;\n\n   \xe2\x80\xa2   conducting and documenting a system test and evaluation;\n\n   \xe2\x80\xa2   developing a security procedures guide;\n\n   \xe2\x80\xa2   preparing and testing a contingency plan;\n\n   \xe2\x80\xa2   preparing a summary of compliance with the security requirements\n       and the statement of residual risk; and\n\n   \xe2\x80\xa2   preparing a security evaluation report with a recommendation as to\n       whether or not to accredit the system based on documented residual\n       risks.\n\n      Once a Department component completes the C&A and its\ndocumentation, the C&A is submitted to JMD for the IV&V process that is\ncontracted out to one of four contractors.\n                                         - 22 -\n\x0c        The March 2002 Vulnerability Assessment identified that of the\n20 mission-essential information systems in the Department, 7 had not\nreceived an IV&V as part of the C&A process. We found that the accuracy of\nIMSS\xe2\x80\x99s documented support of its monitoring efforts was questionable. An\ninitial status was documented in the March 2002 Vulnerability Assessment,\nand again in an undated document that we were told was prepared in\nOctober 2002. In the March 2002 Vulnerability Assessment, the FBI\xe2\x80\x99s IAFIS\nand NCIC 2000 systems were both reported as undergoing IV&V process;\nhowever, in the previously mentioned undated document, both systems\nwere reported as still undergoing the initial certification and accreditation by\nthe FBI\xe2\x80\x99s Security Division. As of May 2003, IAFIS and NCIC 2000 had not\nundergone the IV&V process. Independent Verification and Validation is a\nrequirement of the certification and accreditation process.\n\n      Further, the ATF transferred to the Department from the Department\nof Treasury in January 2003. According to IMSS staff, ATF systems had\nreceived interim certification, and full certification and accreditation of these\nsystems was expected to be completed by September 30, 2003. Critical\nassets from the ATF had yet to be identified. As a consequence, a\nvulnerability assessment, risk mitigation plans, and multi-year funding plans\nhad not been developed for critical assets of the ATF.\n\n       Information Management and Security Staff officials were unable to\nprovide information on vulnerability assessments for the nine newly added\nassets from non-ATF components to the MEI. According to IMSS officials,\ntheir queries to components were not answered.\n\nC. Progress Toward Mitigating Critical IT Asset Vulnerabilities\n\n(1) Background on Critical IT Asset Vulnerabilities\n\n       As previously stated, the March 2002 Vulnerability Assessment\nidentified 12 categories of vulnerabilities among the 20 IT systems\ncomprising the Department\xe2\x80\x99s mission-essential inventory. Sources used to\nidentify the 12 information technology vulnerabilities included vulnerability\nassessments submitted with the C&A packages, OIG system audits,\npenetration testing, and results from the Department\xe2\x80\x99s IV&V program.24\nBased on guidance from the GSA, the vulnerability assessments focused on\ncommon attack methods and publicly available cyber-attack methods. As\n\n\n       24\n          Penetration testing is security testing in which evaluators attempt to circumvent\nthe security features of a system based on their understanding of the system design and\nimplementation. The purpose of penetration testing is to identify methods of gaining access\nto a system by using common tools and techniques developed by hackers.\n\n\n\n                                          - 23 -\n\x0cestablished in the CIP Plan, highly esoteric threats and attack methods are\nto be deferred to the long-range implementation of the CIP program.\n\n       Several of the vulnerabilities could potentially allow great harm to the\nDepartment\xe2\x80\x99s ability to perform its essential national security missions and\nmaintain order. JMD prioritized the vulnerabilities according to the potential\neffect each was assessed to have on critical IT systems. Listed below are\nthe 12 IT asset vulnerabilities, which are further discussed in Appendix 8:\n\n   \xe2\x80\xa2   lack of auditing features, audit trails, or policies and procedures;\n\n   \xe2\x80\xa2   improper or inadequate password protection, password aging, and\n       construction;\n\n   \xe2\x80\xa2   lack of encryption;\n\n   \xe2\x80\xa2   software patches not installed for known vulnerabilities;\n\n   \xe2\x80\xa2   lack of, limited, or untested contingency plans;\n\n   \xe2\x80\xa2   lack of computer security incident response capability;\n\n   \xe2\x80\xa2   lack of access controls;\n\n   \xe2\x80\xa2   lack of configuration management;\n\n   \xe2\x80\xa2   lack of intrusion detection;\n\n   \xe2\x80\xa2   lack of or inadequate virus protection;\n\n   \xe2\x80\xa2   exploitable network services enabled; and\n\n   \xe2\x80\xa2   lack of warning banners.\n\n(2) Processes Used by the IMSS to Monitor Mitigation of the Critical\n    IT Asset Vulnerabilities\n\n      For the IMSS to track and manage components\xe2\x80\x99 efforts to close\nsecurity performance gaps, components need to document and report\nsecurity weaknesses and progress of mitigation actions. Accordingly, in\nAugust 2002, the IMSS notified each component to develop Plans of Actions\nand Milestones (POA&Ms) to ensure identified security weaknesses are\ncorrected. All Department officials would use the POA&MS as the\nauthoritative agency management mechanism to prioritize, track, and\nmanage all agency efforts to close security performance gaps.\n\n                                      - 24 -\n\x0c      Because the Department\xe2\x80\x99s POA&M was initially due to the Office of\nManagement and Budget (OMB) by October 1, 2002, the IMSS requested the\ncomponents to submit individual system and component summary POA&Ms\nto the IMSS by September 13, 2002. In developing the POA&Ms,\ncomponents were requested to identify all security weaknesses; indicate how\nweaknesses were identified (for example, CFO audits, penetration testing,\nand self assessment); show corrective actions; estimate completion dates;\nand identify resources required to remediate the IT system weaknesses.\nOnce the POA&Ms were received from components, IMSS staff would then\nbegin entering the data into the SMART database system.\n\n       We were told by IMSS officials that they use the SMART database\nsystem to monitor the status of the 12 IT asset vulnerabilities. The SMART\nsystem is a set of user interface, database management, and business\nintelligence tools designed to assist the Department CIO and program\nmanagers, as well as the security administrators, in identifying, controlling,\nand monitoring the performance of a component IT security program and its\nIT systems. During FY 2003, the SMART system is gradually becoming\navailable to security analysts, administrators, and managers in all\nDepartment components.\n\n      Data pertaining to remediating IT asset vulnerabilities is entered into\nthe SMART system as it is received from the components. Data entered\nincludes all vulnerabilities identified, corrective actions taken or planned,\nestimated completion dates, resources required to initiate corrective actions\nin terms of time and dollars, and status (whether the corrective actions are\nclosed or open). Certain data entry fields such as estimated completion\ndates, resources required, and actions closed are locked once the data is\nentered.\n\n       For SBU computer systems, IMSS officials indicated they had been\nentering component IT asset vulnerability data into the SMART system since\nApril 2001. An IMSS official indicated that the POA&Ms have been received\nand entered into the SMART system, but IMSS officials did not provide all of\nthe documentation that was requested regarding this effort. Specifically,\nIMSS officials did not provide the POA&M from the FBI or SMART data for\nsystems for which the IMSS is tracking risk mitigation activity. Additionally,\nbeginning in January 2003 components were required to provide the IMSS\nwith quarterly updates on risk mitigation activities. Data from these updates\nwere also to be entered in the SMART system. IMSS staff indicated that\nquarterly updates were being received and entered into the SMART system,\nbut again did not provide documentation that we requested regarding this\neffort.\n\n\n\n\n                                    - 25 -\n\x0c       For classified computer systems, IMSS staff indicated that a tracking\nsystem is being developed into which classified vulnerability data will be\nentered. The system was expected to be ready for use by\nJuly 30, 2003. Twenty nine percent (6 of 21) of the assets are classified\nsystems. The IMSS was unable to explain how tracking currently occurs for\nclassified systems but described the current process as \xe2\x80\x9cweak.\xe2\x80\x9d\n\n      Absent the requested documentation for tracking SBU systems and the\nstated weakness in tracking classified systems, we could not verify that\nmitigation of vulnerabilities is being properly monitored.\n\n(3) Significant Weaknesses in the IMSS Monitoring of Mitigation\n    Activities for Critical IT Asset Vulnerabilities\n\n      We identified the following significant weaknesses regarding the\nIMSS\xe2\x80\x99s efforts to monitor mitigation actions for the 12 critical IT asset\nvulnerabilities.\n\n(a) POA&Ms Were Not Properly Completed by Components\n\n       The August 29, 2002, notification requiring components to develop\nPOA&Ms also contained detailed preparation instructions. As stated in the\nnotification, each component was required to prepare individual system and\ncomponent summary POA&Ms describing all known IT security weaknesses.\nAt the system level, components were to indicate the source of each\nweakness, corrective actions, and estimated completion dates.25 Component\nsummaries were required to include a cross-system summary of\nweaknesses, steps components were taking to correct weaknesses, and\ncompletion dates. Components were also required to describe the\nperformance measures that would be used to track progress in mitigating\nweaknesses.\n\n      We evaluated the POA&Ms submitted by the DEA, INS, and JMD, three\nof the four components with critical IT systems identified in the 2001 MEI.\nWe did not evaluate the POA&Ms submitted by the FBI. We initially\nrequested the FBI information in October 2002. The FBI, at that time, had\nnot provided data to the IMSS because the FBI was undergoing an intensive\nC&A of a portion of its systems. We updated our audit information in May\n2003. Information Management and Security Staff officials indicated that\nthe FBI had provided the IMSS with POA&Ms. We requested the FBI\xe2\x80\x99s\nPOA&Ms from the IMSS, but the information had not been provided as of the\ndate of our draft report.\n\n       25\n          IT security weaknesses were identified through audits, system security\npenetration tests, self-assessments, and vulnerability assessments.\n\n                                          - 26 -\n\x0c       In the 2002 \xe2\x80\x9cSummary of the OIG Fiscal Year 2002 Evaluation of the\nDepartment of Justice Information Security Program and Practices Pursuant\nto the Government Information Security Reform Act\xe2\x80\x9d report submitted to the\nOMB, OIG auditors concluded that the Department had not performed timely\nand effective oversight to ensure implementation of Department security\npolicies. This weakness was evidenced by the components\xe2\x80\x99 failure to\nimplement corrective actions in their systems\xe2\x80\x99 environment.\n\n      Of the POA&Ms we evaluated, none were properly completed or fully\nusable for tracking mitigation actions for critical IT system weaknesses. Our\nspecific concerns are noted below.\n\n   \xe2\x80\xa2   Of the 43 risk items identified in the vulnerability assessments for the\n       DEA, INS, and JMD critical IT systems, only 20 risk items were\n       addressed in the POA&M submissions. Consequently, mitigation\n       actions for most of the vulnerabilities identified in the Department\n       Vulnerability Assessment were not addressed by components.\n       Although the POA&Ms are intended to reflect existing plans to correct\n       IT weaknesses, it appears that there are no plans to correct 23 of the\n       known weaknesses.\n\n   \xe2\x80\xa2   None of the components identified the source of weaknesses reported\n       in POA&Ms. Consequently, we were unable to determine whether all\n       sources of IT security weaknesses were considered by components in\n       developing the POA&Ms.\n\n   \xe2\x80\xa2   None of the components described the performance measures that\n       would be used to track progress in mitigating weaknesses as required\n       in the August 29, 2002, notification.\n\n   \xe2\x80\xa2   JMD\xe2\x80\x99s POA&M was structured as a self-assessment questionnaire that,\n       in our judgment, did not appear to us to be usable for monitoring\n       mitigation actions.\n\n   \xe2\x80\xa2   The DEA\xe2\x80\x99s POA&M did not include planned corrective actions.\n\n      Weaknesses in the POA&Ms appear to result in part from some\nproblems with the Vulnerability Assessment on which the POA&Ms are based.\nThe Vulnerability Assessment does not clearly identify the specific critical IT\nasset vulnerabilities needing mitigation, and the document contains some\ninternal inconsistencies that could cause problems in preparation of the\nPOA&Ms.\n\n\n\n\n                                     - 27 -\n\x0c(b) POA&Ms Did Not Adequately Identify Required Resources for\n    Implementing Risk Mitigation Activities\n\n      Based on the results of Vulnerability Assessments and the subsequent\nmitigation and response plans, there is the possibility that additional\nresources may need to be identified, developed, or procured to ensure the\nprotection of the Department\xe2\x80\x99s critical infrastructure.\n\n      JMD\xe2\x80\x99s initial effort to identify budgeted resources to improve IT\nsecurity for mission-essential systems is documented in the March 2002\nVulnerability Assessment. Section 5 of the assessment contains the\nmulti-year funding plan that projects the Department will spend\napproximately $314.5 million in FYs 2002 through 2004 to improve IT\nsecurity. The funding details are contained in the table on the following\npage. We noted multimillion-dollar discrepancies in the totals submitted for\nthe FBI, which the IMSS staff acknowledged as a math error. We corrected\nthe table to include the Trilogy amounts in the FBI totals.26\n\n\n\n\n       26\n           The Trilogy program is the FBI\xe2\x80\x99s 36-month program to upgrade the infrastructure\ntechnologies throughout the FBI. It consists of three components: 1) Network - which\nincludes high-speed connections linking FBI offices; 2) Information Presentation - which is\ncomprised of hardware and software within each office to link each employee at their desk\nto FBI systems; and 3) User Applications - which includes several user-specific software\ntools to enhance each agent\xe2\x80\x99s ability to organize, access, and analyze information.\n\n                                          - 28 -\n\x0c                                     Multi-Year IT Security Funding Plan\n                                          (FYs 2002 through 2004)\n                                                                                      FY 02         FY 03         FY 04\nJustice Management Division\nCritical Infrastructure Protection                                                      $71,135      $123,366     $125,833\n  Program Contract Support\nJustice Data Centers                                                                  $2,302,200    $1,583,000   $1,617,330\nJustice Consolidated Network                                                           $196,260      $200,000     $202,635\n   Component Total by FY                                                             $2,569,595    $1,906,366 $1,945,798\n\n\nDrug Enforcement Administration\nInformation Security Initiative                                                       $2,879,000    $6,683,000   $6,843,000\n\nEl Paso Intelligence Center Information System                                         $163,400      $477,000     $747,000\nMercury (See Note #1)                                                                         $0            $0            $0\nMerlin                                                                                 $385,700      $648,499    $1,512,634\nFirebird                                                                              $2,201,100   $18,053,400 $18,053,400\nModel 204 Applications                                                                 $809,400     $2,180,000   $2,230,000\n   Component Total by FY                                                             $6,438,600 $28,041,899 $29,386,034\n\n\nFederal Bureau of Investigation\nInformation Assurance Initiative                                                     $58,573,000   $74,570,000 $39,981,000\nTrilogy                                                                              $13,214,520    $1,430,320   $2,901,760\nMainframes and Applications                                                            $574,294      $750,000     $759,924\nCriminal Justice Information System (CJIS) WAN                                         $193,800      $452,000     $452,000\nInfraGard (See Note #2)                                                                       $0            $0            $0\nIntegrated Automated Fingerprint Identification                                        $408,910      $316,696     $316,210\n  System (IAFIS)\nNational Crime Information Center 2000                                                 $268,690      $202,463     $207,750\n  (NCIC 2000)\nIntelligence Information System (IISNET) (No Data provided)\nSecure Automated Messaging Network (SAMNET)                                            $329,500      $436,000     $341,000\nFBI Wide Area Network (FBI NET)                                                        $290,000      $290,000     $290,000\n   Component Total by FY                                                            $73,852,714 $78,447,479 $45,249,644\n\n\nImmigration and Naturalization Service\nAtlas Project                                                                         $4,351,000   $17,998,000 $18,870,170\nCentral Index System (CIS)                                                             $259,500       $75,000      $45,000\n\nEnforcement Case Tracking System (ENFORCE)                                            $1,449,250     $985,525     $734,598\nAutomated Biometric Identification System (IDENT)                                      $651,700      $646,500     $638,950\nWide Area Network (INSINC) (See Note #3)                                                      $0            $0            $0\n   Component Total by FY                                                             $6,711,450 $19,705,025 $20,288,718\n                                                               Total by FY          $89,572,359 $128,100,769 $96,870,194\n\n                                                               Total all FYs       $314,543,322\nNotes\n#1 - Funding for Mercury is included in the funding for Merlin and the Information Assurance Initiative.\n#2 \xe2\x80\x93 No funding information available.\n\n#3 - Funding for INSINC is included in the funding for the Atlas Project       .\n           Source: JMD\xe2\x80\x99s March 2002 Vulnerability Assessment as recalculated by the OIG\n\n                                                              - 29 -\n\x0c      Although the multi-year funding plan was an initial attempt to identify\nresources budgeted to improve IT security for mission-essential systems, it\ndid not specifically identify whether sufficient resources were budgeted to\nremediate the vulnerabilities identified in the March 2002 Vulnerability\nAssessment. The plan was not linked to the identified vulnerabilities and is\nnot useful in identifying whether the funding amounts presented are\nadequate to remediate IT systemic vulnerabilities. Accordingly, in the\nAugust 29, 2002, notification requiring components to develop POA&Ms, the\nIMSS also requested that components identify the resources required to\nmitigate vulnerabilities.\n\n       Of the three component POA&Ms that we reviewed, none adequately\nidentified resources required to mitigate vulnerabilities.\n\n   \xe2\x80\xa2   In its summary POA&M, the INS identified $9,350,703 in additional\n       funding required to mitigate known IT system vulnerabilities.\n       However, in each of its supporting system-level POA&Ms, the INS\n       indicated that no additional resources would be required to mitigate\n       vulnerabilities. This discrepancy was apparently undetected by the\n       IMSS\xe2\x80\x99s review of the INS\xe2\x80\x99s POA&M.\n\n   \xe2\x80\xa2   The POA&M submitted by JMD did not address budgeted resources\n       required to mitigate vulnerabilities.\n\n   \xe2\x80\xa2   The POA&M submitted by the DEA contained a column for recording\n       resources required to mitigate vulnerabilities; however, most of the\n       column was blank.\n\n       We discussed with the IMSS staff these problems with the POA&Ms\nand asked why their review of the documents did not identify the problems.\nWe were told by the IMSS staff that their review of the POA&Ms consisted of\nidentification of security and planning issues. An IMSS analyst determines\nwhether the planning and funding is adequate to remediate the identified\nweakness. If it is not, then the IMSS analyst will work with the component\xe2\x80\x99s\nrepresentative to develop adequate plans. Information Management and\nSecurity Staff indicated that the INS probably included the $9.3 million\nfunding requirement in its Exhibit 300 for a new system and not to mitigate\nweaknesses in an older system.27\n\n\n\n\n       27\n          An Exhibit 300 is a capital asset plan that must be prepared for major projects\nand is submitted to the Department and OMB.\n\n                                           - 30 -\n\x0c(c) Process Used to Monitor Components\xe2\x80\x99 Progress in Mitigating IT\n    Asset Vulnerabilities Was Ineffective\n\n      The IMSS was responsible for monitoring components\xe2\x80\x99 progress in\nmitigating IT asset vulnerabilities by performing quarterly comparison of\nExhibit 300s to data stored in the SMART database. The intent of these\ncomparisons is to determine whether actions to mitigate vulnerabilities have\nbeen funded and whether mitigating actions are ongoing.\n\n       We identified several shortcomings with this process. First, such a\ncomparison may not be effective in that the Exhibit 300s do not provide a\nsufficient level of detail regarding resources budgeted to mitigate\nvulnerabilities associated with critical systems. The Exhibit 300s provide a\nnarrative of corrective action but do not consistently associate costs of\nmitigating specific vulnerabilities. For example, the FBI\xe2\x80\x99s Exhibit 300\nincluded an estimate of $569,123 for security costs of the NCIC 2000\nsystem. The FBI\xe2\x80\x99s narrative explains that it will cover an audit log server\nsystem, additional intrusion detection capability, and a separate Intrusion\nDetection System (IDS) management network segment that collects firewall\nand IDS system log files. The FBI\xe2\x80\x99s Exhibit 300 does not provide a separate\ncosting for the audit log server system from the additional intrusion\ndetection capability.\n\n       At the time of our audit, the Department had not had adequate time to\ncomplete vulnerability assessments, risk mitigation plans, or multi-year\nfunding plans for most of the assets newly added to the MEI. While the\nDepartment has efforts underway in each of the areas identified above,\neffective oversight is necessary if the Department is to provide adequate\nprotection of its critical assets.\n\n       Second, such a comparison is unnecessary since components are\nrequired to identify in the POA&Ms whether required resources were\nidentified and funded. However, the POA&Ms do not appear to be useful for\nthis purpose.\n\n      Third, the comparison process was not summarized or documented;\nconsequently, the IMSS was unable to show how much progress components\nhad made in mitigating critical IT system vulnerabilities. The POA&Ms\nrequire follow-up guidance from the IMSS to be effective as a risk mitigation\nmonitoring tool.\n\n\n\n\n                                   - 31 -\n\x0cD. Conclusions\n\n      Through the efforts of the IMSS, the Department has made some\nprogress in establishing and managing a risk mitigation program. The IMSS\nhas accomplished:\n\n   \xe2\x80\xa2   completion of vulnerability assessments,\n\n   \xe2\x80\xa2   development of risk mitigation plans (though none properly\n       completed),\n\n   \xe2\x80\xa2   development of the SMART database to track risk mitigation for SBU\n       systems,\n\n   \xe2\x80\xa2   completion of drafting a new CIP Plan, and\n\n   \xe2\x80\xa2   revalidation of MEI after September 11, 2001.\n\n     Despite this progress, significant problems remain in the Department\xe2\x80\x99s\nmanagement of the risk mitigation program. The major weaknesses that\nremain are identified below.\n\n   \xe2\x80\xa2   Identification of critical assets from the ATF has yet to be completed.\n\n   \xe2\x80\xa2   Vulnerability assessments, risk mitigation plans, and a multi-year\n       funding plan were not developed for assets newly added to the MEI\n       and for those to be identified from the ATF.\n\n   \xe2\x80\xa2   The IMSS has not developed a system to track risk mitigation for\n       classified systems.\n\n   \xe2\x80\xa2   Resources required to mitigate vulnerabilities were not adequately\n       identified.\n\n   \xe2\x80\xa2   Plans of Actions and Milestones were not adequately completed by\n       components.\n\n      The Department has not had adequate time to make a vulnerability\nassessment or risk mitigation plans for assets newly added to the MEI and\nfor assets transferred from the ATF. While the Department has efforts\nunderway in each of the areas identified above, effective oversight is\nnecessary if the Department is to provide adequate protection of its critical\nassets.\n\n\n                                     - 32 -\n\x0c       Our audit work disclosed that the IMSS did not establish an effective\nDepartment risk mitigation program and that the IMSS\xe2\x80\x99s efforts to monitor\nmitigation actions were not effective. Regarding the four program\nvulnerabilities, IMSS officials indicated that mitigation actions were\nprogressing on schedule. However, we initially found that the IMSS did not\neffectively manage the mitigation actions in that project plans were\ndeveloped but lacked key milestone dates for completion, and the IMSS did\nnot allow components sufficient time to provide required data.\n\n       Regarding the mitigation of the 12 critical IT asset vulnerabilities, we\nfound that the POA&Ms, which were required to ensure the correction of\nidentified security weaknesses, were inadequately prepared by components.\nNone of the POA&Ms identified required resources for implementing risk\nmitigation activities. Additionally, the process used by the IMSS to monitor\ncomponents\xe2\x80\x99 overall progress in mitigating vulnerabilities was ineffective.\n\n       These problems occurred, in part, because IMSS officials did not\nevaluate the effectiveness of their many risk mitigation-monitoring activities.\nAlthough IMSS officials were fully aware of the PDD 63 requirement for\nachieving full operating capability by May 2003, the Department has not met\nthis requirement. In its revised CIP Plan, key activities are identified but\nsome do not include milestone dates for completion. Further, although the\nIMSS required components to prepare and submit risk mitigation plans, a\nthorough review would have disclosed that the plans contained several\ndeficiencies. Although the IMSS was expending considerable resources to\nenter data from the component risk mitigation plans into its SMART database\nsystem, the process used to assess components\xe2\x80\x99 progress in mitigating\ncritical risks was ineffective. Also, no system was established for monitoring\nrisk mitigation of classified systems.\n\n      As a result of these deficiencies, the Department has not achieved the\nmandated \xe2\x80\x9cfull operating capability\xe2\x80\x9d and has less than adequate assurance\nthat critical IT asset vulnerabilities will be adequately or timely mitigated.\n\nE. Recommendations\n\n      We recommend that the Assistant Attorney General for Administration:\n\n1.    Develop a tracking system for risk mitigation activities for classified\n      MEI systems.\n\n2.    Develop a multi-year funding plan based on resources required to\n      mitigate vulnerabilities as identified in revised POA&Ms.\n\n\n                                     - 33 -\n\x0c3.   Revise the current process used to monitor components\xe2\x80\x99 progress in\n     mitigating critical IT vulnerabilities to a clear component-by-\n     component summary.\n\n4.   Monitor and document, at least quarterly, the status of certification\n     and accreditation for critical IT systems.\n\n5.   Ensure components submit POA&Ms completed in accordance with\n     OMB guidance. At a minimum, the component\xe2\x80\x99s POA&Ms should:\n     a) clearly address the vulnerabilities identified in the Department\n     Vulnerability Assessment, b) include the source of the vulnerabilities\n     so readers can refer back to the Department Vulnerability Assessment\n     to obtain additional information, c) describe the performance measures\n     used to track progress in mitigating weaknesses, and d) identify\n     resources required for implementing risk mitigation activities for each\n     identified vulnerability.\n\n6.   Conduct vulnerability assessments and develop risk mitigation plans\n     for assets newly added to the MEI.\n\n7.   Determine the critical assets within the ATF and perform vulnerability\n     assessments, develop risk mitigation plans, and a multi-year funding\n     plan for those assets.\n\n8.   Develop a work plan, with milestone dates for key activities, for\n     attaining full operational capability for critical infrastructure protection\n     at the earliest possible date.\n\n\n\n\n                                     - 34 -\n\x0c2. ESTABLISHING AN EMERGENCY MANAGEMENT PROGRAM\n\n      Although the April 1999 CIP Plan contained a comprehensive\n      blueprint and milestones for an effective, centrally managed\n      Department emergency management program, such a program\n      has not been fully implemented. Many of the critical emergency\n      management program elements relating to indications and\n      warnings, incident collection, reporting and analysis, and\n      response and contingency planning were neither established nor\n      operating. Although the CIP Task Force was responsible for\n      developing and implementing the CIP Plan, including the\n      emergency management program, the Task Force ceased\n      operating during calendar year 2000 and had no further\n      involvement in implementation activities. As a result, the\n      Department has less than adequate assurance that it can\n      effectively respond to computer attacks and security incidents.\n\nA. Department Efforts to Establish an Emergency Management\n   Program for the Protection of Critical Infrastructure Assets\n\n       The April 1999 CIP Plan established the critical elements for an\neffective emergency management program and tasked the CIP Task Force\n(CIPTF) with its implementation. The CIPTF had members in 9 law\nenforcement entities, 5 litigating divisions, and 12 other entities. See\nAppendix 10 for Department entities that had CIPTF members. The\nDepartment\xe2\x80\x99s emergency management program, as envisioned in the CIP\nPlan, was to incorporate the following three elements.\n\n  \xe2\x80\xa2   Indications and Warnings: The purpose of this element was to\n      establish an effective and secure mechanism for: a) receiving threat\n      indication and warning information concerning the critical\n      infrastructure of the Department and the nation from the intelligence\n      community and law enforcement agencies, and b) disseminating this\n      information in a timely manner to appropriate Department\n      components.\n\n      As envisioned in the CIP Plan, the emergency management program\n      would establish effective liaisons with the Department\xe2\x80\x99s SEPS, the\n      FBI\xe2\x80\x99s NIPC, and the FBI\xe2\x80\x99s Strategic Information Operations Center\n      (SIOC). The IMSS would ensure the existence of secure, effective,\n      and timely communication channels for passing threat information\n      from internal and external organizations to Department components at\n\n\n\n                                   - 35 -\n\x0c       both headquarters and field locations charged with the protection of\n       the Department\xe2\x80\x99s critical infrastructure assets.28 In our judgment,\n       although part of the NIPC has been transferred to the DHS, an\n       effective liaison capacity is still needed.\n\n   \xe2\x80\xa2   Incident Collection, Reporting, and Analysis: This element was to\n       define and establish an effective and secure mechanism for collecting,\n       reporting, and analyzing incident information about actual and\n       potential attacks on the Department\xe2\x80\x99s critical infrastructure assets.29\n       The established method should have ensured that information\n       generated from computer security incidents was received from\n       Department components and disseminated throughout the Department\n       and to other intelligence and law enforcement agencies, as\n       appropriate, in a timely manner.\n\n       Incident data would be provided to the NIPC as part of the\n       National Critical Infrastructure Indications and Warnings System and\n       the Department\xe2\x80\x99s Computer Security Laboratory to establish new\n       requirements for a research and development program. The incident\n       data would also be used to support budget and resource justifications.\n\n   \xe2\x80\xa2   Response and Contingency Plans: This element was to define and\n       establish sound response and contingency plans to ensure that the\n       Department\xe2\x80\x99s critical infrastructure assets could be restored to the\n       minimum operational effectiveness necessary to support the\n       Department\xe2\x80\x99s missions, should these critical infrastructure assets be\n       subjected to successful attack.\n\n       Response plans identify actions for responding to a significant\n       infrastructure attack while the attack is underway. Contingency plans\n       identify actions required to rebuild or restore an infrastructure after it\n       has been damaged. The CIP Plan requires that response and\n       contingency plans should be prepared, reviewed, and approved by\n       Department authorities, and tested by an exercise on a periodic basis\n       to ensure that the plans can be effectively implemented.\n\n     The CIP Plan also established several intermediate milestones for\nimplementing the three essential elements of the Department emergency\n\n       28\n          The CIP Plan did not contain details as to how the communication channels would\noperate or how the communication channels would be implemented.\n       29\n          An incident is an occurrence that has been assessed as having an adverse effect\non the security or performance of an information system.\n\n                                          - 36 -\n\x0cmanagement program. Full implementation of the program was to occur no\nlater than September 28, 1999.\n\nB. Implementation of the Emergency Management Program\n\n      Although the CIP Plan contained a comprehensive blueprint and\nmilestones for an effective, centrally managed Department emergency\nmanagement program, such a program was never fully established. Officials\nof the IMSS indicated that the CIP Task Force, tasked with implementing the\nemergency management program, last met during calendar year 2000 and\nwas no longer in existence. In response to our inquiries, those IMSS officials\ncould not provide an explanation as to why no further effort was made to\nimplement the plan.\n\n      Officials of the IMSS also stated that although the emergency\nmanagement program as envisioned in the CIP Plan had not been\nimplemented, most of the elements of an effective emergency management\nprogram were nevertheless in place and operating throughout the various\nDepartment components. However, in evaluating the Department\xe2\x80\x99s\nresponse capabilities to computer security incidents, we found that many of\nthe four critical emergency management program elements relating to\n1) indications and warnings, 2) incident collection, reporting and analysis,\n3) response plans and 4) contingency planning were neither established nor\noperating. Our specific observations follow.\n\n(1) Indications and Warnings\n\n       The IMSS did not ensure that this element of the emergency\nmanagement program was fully implemented. According to JMD officials,\ncommunication channels were established for passing threat information\nfrom internal and external organizations to Department components at both\nheadquarters and field locations charged with protecting the Department\xe2\x80\x99s\ncritical infrastructure assets. Specifically, the DOJCERT is the Department\xe2\x80\x99s\ncentral point for receiving and disseminating indications and warnings.30\nWithin the DOJCERT, a contractor operates the Department\xe2\x80\x99s-Information\nSharing and Analysis Center and provides a departmentwide mechanism for\nsharing vulnerabilities to better prepare the Department for responding to\ncyber attacks. Additionally, the DOJCERT has implemented an intranet web\n\n\n       30\n          In May 2003, the IMSS name changed to the Information Technology Security\nStaff (ITSS). The ITSS retained the prior IMSS staff and responsibilities for oversight of the\nCIP program. The ITSS gained responsibility from JMD Computer Services Staff for\nmanaging the DOJCERT.\n\n                                           - 37 -\n\x0cpage that includes a search capability for previously distributed indication\nand warning bulletins, and an Internet web page for information purposes.\n\n       Although communication channels were established for passing threat\ninformation, the IMSS did not determine whether the channels were secure,\neffective, and provided timely information as required by the CIP Plan.\nAdditionally, the IMSS did not verify whether effective liaisons with the FBI\xe2\x80\x99s\nNIPC or the SIOC were established and ongoing. See Finding 3 for more\ndetails concerning liaisons not being adequately identified. Unless all\nindication and warning elements are in place, the Department does not have\nthe assurance that communication channels for sharing vulnerabilities are\nsecure and that components are receiving timely information to better equip\nthem to respond to computer security incidents.\n\n(2) Incident Collection, Reporting, and Analysis\n\n      The IMSS did not ensure that this element of the emergency\nmanagement program was fully implemented. Although detailed procedures\nfor components to follow when reporting computer security incidents were\ndeveloped, the IMSS did not verify that these procedures were implemented\nand being followed, nor did the IMSS ensure that security incident data was\nbeing collected and analyzed.\n\n       The JMD CSS developed the June 27, 2002, Standards, Guidelines, and\nStandard Operating Procedures for the DOJCERT (Department Manual\nTP-001). This directive was developed in response to an increase in\ncomputer attacks and contains detailed procedures for effective handling and\nreporting of computer security incidents. Department Manual TP-001\nidentifies and defines the following nine computer security incident\ncategories.\n\n   \xe2\x80\xa2   System Compromise: An unauthorized user gains system privileges\n       on Department computers.\n\n   \xe2\x80\xa2   Information Compromise: A weakness in a Department system is\n       exploited that allows unauthorized access to password files, protected\n       or restricted data, system resources, and software/code but does not\n       gain system privileges.\n\n   \xe2\x80\xa2   Unauthorized Access: A valid Department account is used without\n       permission of the owner.\n\n   \xe2\x80\xa2   Denial of Service: Department resources are unavailable for use by\n       an authorized user.\n\n                                    - 38 -\n\x0c  \xe2\x80\xa2   Misuse: An authorized user violates federal law or regulations and/or\n      Department policies regarding proper use of computer resources,\n      installs unauthorized or unlicensed software, or accesses resources or\n      privileges that are greater than those assigned.\n\n  \xe2\x80\xa2   Hostile Probes: One or more systems are used to scan targeted\n      Department systems or networks with the intent to conduct or to\n      gather information for unauthorized or illegal activities.\n\n  \xe2\x80\xa2   Malicious Software: Software developed with the intent to run on\n      and cause harm to Department computers.\n\n  \xe2\x80\xa2   Intrusions: Access by unauthorized individuals to Department\n      systems that bypasses authentication mechanisms, exploits\n      vulnerabilities in system services, eavesdrops, or monitors networks.\n\n  \xe2\x80\xa2   Theft: Unauthorized removal of Department information and\n      computer equipment.\n\n       Because incidents may have many possible consequences ranging\nfrom slight to catastrophic, Department Manual TP-001 outlines five\npriorities to consider when evaluating and dealing with computer security\nincidents.\n\n  \xe2\x80\xa2   Priority 1: Protect human life and people\xe2\x80\x99s safety.\n\n  \xe2\x80\xa2   Priority 2: Protect National Security Information (NSI) data.\n\n  \xe2\x80\xa2   Priority 3: Protect SBU data.\n\n  \xe2\x80\xa2   Priority 4: Prevent system damage.\n\n  \xe2\x80\xa2   Priority 5: Minimize disruption of computing resources.\n\n      The Department Manual TP-001 also contains detailed reporting\nrequirements for components to follow in reporting computer security\nincidents. For incidents involving SBU systems, components are required to\nprovide the DOJCERT a verbal report within one working day after an\nincident has occurred. Within five working days, a written preliminary\nincident report, containing as much information as possible, is to be\nsubmitted. Within ten working days of the resolution of an incident, a\nwritten formal report is to be submitted, and in cases where incident\nresolution is expected to take more than 30 days, a status report is to be\n\n                                   - 39 -\n\x0csubmitted to the DOJCERT every 10 days. For incidents involving NSI,\ncomponents follow the same reporting requirements with the exception that\nthe reports are provided to the Department Security Officer rather than to\nthe DOJCERT.\n\n       Although detailed procedures were developed by the CSS for\ncomponents to follow in reporting computer security incidents, the IMSS\ncould not substantiate whether the procedures were implemented and were\nbeing followed. According to IMSS staff, tabulated summaries on the\nnumber and type of incidents are reported each month. However, the IMSS\ncould not provide tabulated summaries regarding the nature, frequency,\ncategory, and remediation of prior Department computer security incidents\nor possible trends and potential systemic weaknesses based on analyses of\nprior incidents. In addition, the IMSS did not verify whether additional\nprocedures for collecting and analyzing incidents as required by the CIP Plan\nwere developed and in place. We asked the IMSS for an explanation why no\nverification of additional procedures occurred but the IMSS officials provided\nno response. Although there is no specific requirement that the IMSS\nmaintain documentation for these activities, absent such documentation, the\nDepartment does not have the assurance that additional procedures for\ncollecting and analyzing incidents as required by the CIP Plan were\ndeveloped and in place.\n\n     Absent the documentation described above, the IMSS will have little\nassurance that it is developing effective countermeasures from prior attacks\nand providing this knowledge to components to enhance response\ncapabilities.\n\n(3) Response Plans\n\n      We determined that the IMSS did not fully implement this element of\nthe emergency management program. Although requirements had been\nestablished for developing, implementing, and testing incident response\nprocedures, the IMSS did not verify whether the procedures were in place\nand operating.\n\n      Department Manual TP-001 requires each Department component to:\na) develop, implement, and maintain internal incident response procedures,\nand b) identify an appropriate individual responsible for reporting incidents\nto the DOJCERT. The Manual also provides the minimum level of procedures\nfor component incident response programs and specifies that the response\nprocedures should be documented by each component and submitted to the\nDOJCERT to be kept on file.\n\n\n                                    - 40 -\n\x0c      In addition to developing Department Manual TP-001, JMD CSS also\ndeveloped the June 17, 2002, DOJCERT Procedures Manual, which outlines\nCSS Service Center and DOJCERT procedures for responding to Department\ncomputer security incidents.31 In responding to an incident, the CSS Service\nCenter assigns a number to the incident and completes an incident report\nform that is forwarded to an incident manager then to the DOJCERT program\nmanager for investigation and resolution.32\n\n      Upon notification of the incident, the DOJCERT Program Manager\nperforms an initial assessment by: a) reviewing the incident report to\ndetermine the severity of the problem; b) locating sources and organizing\nsteps for solutions; c) determining who should be notified and involved in\nworking the solution; d) determining whether a Security Alert needs to be\nbroadcast;33 and e) determining whether the FBI, NIPC, Federal Computer\nIncident Response Center (FedCIRC) or SEPS need to be notified.34 After\ncompleting the initial assessment, the Program Manager then initiates the\nsolution identified during the assessment process and updates the ticket\nmanagement system with information about the implemented solution and\nthe incident response process.\n\n      Although detailed response procedures for computer security incidents\nhad been established, the IMSS had not ensured that the procedures were\nimplemented and being followed. Specifically, the IMSS did not verify\nwhether components had developed, implemented, and maintained internal\nincident response procedures and whether components had identified\nappropriate individuals responsible for reporting incidents to the DOJCERT.\nAlthough there is no specific requirement that the IMSS maintain\ndocumentation for these activities, absent such documentation the\nDepartment does not have assurance that response procedures are effective.\n\n\n\n       31\n           The CSS Service Center was the front-end support for the DOJCERT incident and\ninquiry response operations. In most cases, the Service Center was the initial point-of-\ncontact or first-level support for the DOJCERT operations staff. Since May 4, 2003, the\nincident and inquiry response functions have moved to the ITSS.\n       32\n         The Program Manager is responsible for directing and managing the personnel\nand operations of the DOJCERT.\n       33\n            A Security Alert should be sent under the threat and warning reporting procedures\nif the incident has affected or is likely to affect more than one component.\n       34\n          Within the DHS, the FedCIRC is the central coordination and analysis facility\ndealing with computer security-related issues affecting the civilian agencies and\ndepartments of the federal government.\n\n                                           - 41 -\n\x0c      In May 2003, we sought any changes in these procedures.\nInformation and Management Security Staff indicated that they were able to\nprovide summary information on computer incidents, but as of June 6, 2003,\nno documentation had been provided.\n\n      In a 2002 review of the FBI\xe2\x80\x99s Automated Case Support System\npursuant to the GISRA, OIG auditors determined that the FBI is not following\nthe incident response requirements outlined in Department Manual TP-001.35\nSpecifically, personnel had not been formally trained to identify and handle\nincidents and the incident response procedures had not been centralized or\nimplemented across the FBI. This condition occurred because the FBI had\nnot yet developed incident response procedures that meet the requirements\nof the DOJCERT or trained employees in the incident response procedures\nand requirements. As a result, the FBI increased its risk of having incidents\noccur without its knowledge or proper follow-up. Had the IMSS verified\nimplementation of the DOJCERT requirement, such lapses in complying with\nincident response requirements could have been avoided.\n\n      Additionally, although the CIP Plan requires periodic testing of\nresponse plans, such testing had not been conducted. Information\nManagement and Security Staff officials maintained that response plans\nwere in fact tested during the last major incident involving a computer\nworm; however, a response during a single actual incident does not\nconstitute complete testing of the response plans because some aspects of\nthe plan may not be involved in the response to a single live incident.36 The\nIMSS officials added that testing was also unnecessary because they\nfrequently received component warnings from the DOJCERT. They reasoned\nthey could only receive such warnings if the response plans were working.\nWe disagree with this reasoning because a single incident may test some\naspects of a response plan while a complete test would check all aspects of\nthe response plans. Testing of response plans is crucial to identifying\nweaknesses prior to the occurrence of an actual incident.\n\n\n\n\n       35\n         See \xe2\x80\x9cIndependent Evaluation Pursuant to the Government Information Security\nReform Act Fiscal Year 2002\xe2\x80\x9d (Audit Report 03-06).\n       36\n           A computer worm is a program that replicates itself and often contains some\nfunctionality that interferes with the normal use of a computer or program. Unlike viruses,\nworms exist as separate entities spreading automatically over networks from one computer\nto the next.\n\n                                          - 42 -\n\x0c(4) Contingency Plans\n\n      We determined that the IMSS did not fully implement this element of\nthe emergency management program. Although requirements had been\nestablished requiring components to develop and periodically test\ncontingency plans, we found that the majority had not done so.\n\n       On July 12, 2001, the JMD Information Management and Security\nOffice issued the Department Order 2640.2D, requiring components to\ndevelop contingency plans for: a) continuing missions in the event IT\nsystems become unavailable, and b) recovering IT systems in event of loss\nor failure. In complying with the Department Order, components must\nensure that contingency plans:\n\n  \xe2\x80\xa2   identify the priorities of the system for restoration, taking into\n      consideration the system\xe2\x80\x99s role in fulfilling the Department mission and\n      interdependency requirements;\n\n  \xe2\x80\xa2   determine the maximum amount of elapsed time permissible between\n      an adverse event and putting the system\xe2\x80\x99s contingency plan into\n      operation;\n\n  \xe2\x80\xa2   determine the maximum amount of data and system settings that can\n      be lost between the service interruption event and the last back-up\n      (this measure determines system back-up policies); and\n\n  \xe2\x80\xa2   identify interdependencies with other Department of Justice, state, or\n      local agency systems that could affect contingency operations.\n\n       The Department Order also requires components to: a) test\ncontingency resumption plans annually or as soon as possible after a\nsignificant change to the environment that would alter the in-place assessed\nrisk, and b) develop and maintain site plans detailing responses to\nemergencies for IT facilities.\n\n      Although the Department Order required components to develop and\ntest contingency plans as well as site plans detailing responses to\nemergencies for IT facilities, the IMSS could not provide support that\ncomponents had done so. We noted the following deficiencies.\n\n  \xe2\x80\xa2   From the January 2001 MEI, the IMSS was able to provide contingency\n      plans for 12 of the 20 critical IT systems. In regard to the other eight\n      systems, IMSS officials explained that: a) for six of the classified\n      systems, the contingency plans were kept with SEPS, b) the\n\n                                    - 43 -\n\x0c       contingency plan for one system was being updated, and c) for two\n       systems the plans were no longer relevant since the systems were\n       being reengineered and were not operational.37 Although these\n       explanations as to why the IMSS did not have contingency plans were\n       plausible, the explanations were not supported by any documentation.\n       Absent such documentation, it is not evident that the IMSS was\n       carrying out its assigned oversight responsibilities.\n\n       We updated the audit information in key CIP areas in May 2003. From\n       the December 2002 MEI, the IMSS was able to provide contingency\n       plans for only 9 of the 21 critical IT systems. According to IMSS\n       officials, the classified files had been transferred from SEPS to the\n       IMSS. Information Management and Security Staff officials explained\n       that the DEA housed their own contingency plans at various locations.\n       When asked to provide documentation of the IMSS\xe2\x80\x99s review of the DEA\n       contingency plans, IMSS officials were not able to provide any.\n       Information Management and Security Staff stated that SEPS\n       maintained very few contingency plans for the FBI. As a result, few\n       FBI files were transferred to the IMSS. We attempted to review the\n       FBI contingency plan but were not provided those plans by IMSS.\n       Additionally, IMSS staff indicated that they were in the process of\n       putting the FBI on a performance plan for the development of\n       contingency plans for its systems without plans.\n\n   \xe2\x80\xa2   Contingency Plans did not contain all elements required by\n       Department Order 2640.2D. We judgmentally selected and reviewed\n       contingency plans for the INS\xe2\x80\x99s INSINC System and the Department\xe2\x80\x99s\n       CJIS WAN. As demonstrated in the following table, our review\n       disclosed that required elements were not addressed for either\n       contingency plan. This condition occurred, in part, because neither\n       contingency plan showed coordination or approval actions by either\n       the component or IMSS officials.\n\n\n\n\n       37\n           The DEA\xe2\x80\x99s EIS consists of a classified and unclassified portion. IMSS possessed a\ncopy of the contingency plan for the unclassified portion but not for the classified portion.\nThis difference results in EIS being counted twice even though there are only 20 systems\nthat comprise the January 2001 MEI. See Appendix 5 for more detail.\n\n                                           - 44 -\n\x0c         Evaluation of INSINC and CJIS WAN Contingency Plans\n\n       Required Element                   INSINC          CJIS WAN\nIdentify system priorities for          Not Addressed    Not Addressed\nrestoration.\nDetermine maximum amount of             Not Addressed    Not Addressed\nelapsed time permissible between an\nadverse event and putting the\ncontingency plan in operation.\nDetermine the maximum amount of         Not Addressed    Not Addressed\ndata and system settings that can be\nlost between the service interruption\nevent and the last back-up.\nIdentify interdependencies with other     Addressed      Not Addressed\nsystems.\nIdentify system owners, roles, and        Addressed        Addressed\nresponsibilities.\n    Source: OIG analysis\n\n       In the 2002 \xe2\x80\x9cSummary of the OIG Fiscal Year 2002 Evaluation of the\n       Department of Justice Information Security Program and Practices\n       Pursuant to the Government Information Security Reform Act\xe2\x80\x9d report\n       submitted to the OMB, OIG auditors found that the Department had\n       weaknesses in contingency planning. This weakness was identified as\n       a repeat weakness from the 2001 OIG report.\n\n   \xe2\x80\xa2   Contingency plans were not tested annually as required by\n       Department Order 2640.2D. As discussed previously, the Department\n       first established its MEI of 20 computer assets in January 2001. This\n       inventory was revised in December 2002 and the resulting MEI\n       consists of 21 computer assets. Only three of the systems included on\n       the January 2001 MEI had undergone contingency plan testing. One\n       system with a tested contingency plan was dropped from the\n       December 2002 MEI and another with a tested contingency plan was\n       added. IMSS officials could not determine the status of contingency\n       plans testing for any of the remaining eight assets newly added to the\n       MEI as of May 2003. None of the other systems that remained from\n       the January 2001 MEI had tested contingency plans. IMSS officials\n       were unable to determine the status of the newly added assets\n       because they received no response from the components to their\n       queries. IMSS officials explained that testing of contingency plans was\n       expensive and funds were not available; however, they were unable to\n       provide documents showing that funding had been requested and\n       denied. IMSS officials indicated that the Department\xe2\x80\x99s Chief\n       Information Officer had intended to issue a memorandum to\n       components stressing the importance of testing contingency plans and\n                                       - 45 -\n\x0c       providing guidance on how to perform and obtain funding to pay for\n       the tests. As of May 2003, the document had not yet been issued.\n\nC. Overall Causes for and Effect of Not Fully Implementing an\n   Emergency Management Plan\n\n      Although the CIP Task Force was charged with developing and\nimplementing the Emergency Management program, the Task Force never\ndid so. Information Management and Security Staff officials stated that the\nTask Force last met during calendar year 2000 and was no longer in\nexistence. They added that the Task Force\xe2\x80\x99s primary responsibility when it\ndid meet was to work on Year 2000 conformity issues.38 According to an\nIMSS official, once the Year 2000 conformity issues were resolved, the task\nforce no longer convened. In response to our inquiries, IMSS officials could\nprovide no explanation as to why no further effort was made to implement\nthe plan.\n\n        Further, the IMSS officials stated that although the emergency\nmanagement program as envisioned in the CIP Plan had not been\nimplemented, they believed that most of the elements of an effective\nemergency management program were nevertheless in place and operating\nthroughout the various Department components. We do not agree with this\nassessment because several of these elements are not adequately operating.\nUnless a centralized effort is made to verify that the various component\nparts of the CIP Plan are in place and operating, the Department will have\nlittle assurance that it can effectively respond to emergency computer\nsecurity incidents.\n\nD. Conclusions\n\n      Although the CIP Plan contained a comprehensive blueprint and\nmilestones for creating an effective emergency management program by\nSeptember 1999, such a program was not fully implemented as\ndemonstrated in the following table.\n\n\n\n\n       38\n           Year 2000 conformity ensured that Departmental IT system performance and\nfunctionality would not be affected by dates prior to, during, and after the year 2000.\n\n                                          - 46 -\n\x0c      Implementation of the Department\xe2\x80\x99s Emergency Management\n         Program to Protect Critical Infrastructure IT Systems\n\n    CIP Plan                  Element                        Element not\n  Requirement               Implemented                     Implemented\nIndications and        \xe2\x80\xa2 Communication channels      \xe2\x80\xa2 No verification to determine\nWarnings                 established for passing       whether communication\n                         threat information            channels were secure,\n                                                       effective, and timely\n\n                                                     \xe2\x80\xa2 No verification to determine\n                                                       whether required liaisons were\n                                                       established\n\nIncident Collection,   \xe2\x80\xa2 Requirements                \xe2\x80\xa2 No verification to ensure\nReporting, and           established for               established procedures were\nAnalysis                 components to report          followed by components\n                         incidents\n                                                     \xe2\x80\xa2 No verification to ensure\n                                                       incident data was being\n                                                       collected and analyzed\n\n\nResponse Plans         \xe2\x80\xa2 Requirements                \xe2\x80\xa2 No verification to ensure\n                         established for               response procedures were\n                         developing,                   implemented and followed\n                         implementing, and\n                         testing incident response   \xe2\x80\xa2 Response plans not tested\n                         procedures\n\nContingency Plans      \xe2\x80\xa2 Requirements                \xe2\x80\xa2 No support that plans were\n                         established calling for       developed for all critical\n                         components to develop         systems\n                         and test contingency\n                         plans                       \xe2\x80\xa2 Plans did not address all\n                                                       required elements\n\n                                                     \xe2\x80\xa2 Plans not tested\n\n       Source: CIP Plan and OIG analysis\n\n      In evaluating the Department\xe2\x80\x99s response capabilities to computer\nsecurity incidents, we found that many critical elements related to\nindications and warnings, incident collection, reporting and analysis, and\nresponse and contingency planning were neither established nor operating.\nWe agree that other elements are operating, but not adequately for a\nsuccessful emergency management program. Until the critical elements of\nan effective emergency management program are in place and operating,\n\n\n                                           - 47 -\n\x0cthe Department will have less than adequate assurance that it can\neffectively respond to attacks to its critical infrastructure technology\nsystems.\n\nE. Recommendations\n\n      We recommend that the Assistant Attorney General for Administration:\n\n9.    Define standards for secure, timely, and effective communication\n      channels for passing indications and warning information and ensure\n      those standards are implemented and operating.\n\n10.   Ensure that effective liaisons are established with the DHS\xe2\x80\x99s FedCIRC\n      and the FBI\xe2\x80\x99s Strategic Information Operations Center and NIPC.\n\n11.   Ensure that components are in compliance with procedures for\n      reporting incidents.\n\n12.   Ensure that data regarding departmentwide computer attacks and\n      security incidents are collected and summarized according to the\n      nature, frequency, category, and remediation actions taken and that\n      analyses are performed to identify potential trends and systemic\n      weaknesses.\n\n13.   Verify that incident data is provided to: a) the NIPC as part of the\n      National Critical Infrastructure Indications and Warnings System,\n      and b) the budget processes to support and justify future CIP resource\n      expenditures.\n\n14.   Verify that components have developed, implemented, and maintained\n      internal incident response procedures and have identified appropriate\n      individuals for reporting incidents to the DOJCERT.\n\n15.   Ensure periodic testing of response plans.\n\n16.   Develop contingency plans for all critical IT assets.\n\n17.   Ensure that documentation is maintained supporting the existence or\n      development of contingency plans for all critical infrastructure assets.\n\n18.   Verify that contingency plans address all required elements as\n      identified by Department Order 2640.2D.\n\n\n\n                                     - 48 -\n\x0c19.   Obtain appropriate approvals for all contingency plans by component\n      and IMSS officials.\n\n20.   Test contingency plans periodically as required by Department Order\n      2640.2D.\n\n\n\n\n                                   - 49 -\n\x0c3. ESTABLISHING AN EFFECTIVE INTERAGENCY COORDINATION\n   PROGRAM\n\n      The Department has not implemented an interagency\n      coordination program, as required by the CIP plan. The\n      Department\xe2\x80\x99s CIP Plan requires Department components to\n      develop a list of liaison and interagency relationships for the CIP\n      Task Force to develop and maintain a database of those\n      relationships. The CIP Task Force, tasked with the development\n      and maintenance of the interagency coordination database, was\n      disbanded in 2000 without developing the database or\n      addressing any of the CIP elements. Additionally, the\n      Department has not determined the support its assets provide to\n      other federal agencies and entities. This was caused in part\n      because the IMSS did not require complete information from\n      Department components in determining the Department\xe2\x80\x99s MEI.\n      Without taking these steps, the Department cannot ensure\n      effective coordination links exist and that information will be\n      accessible from Department assets when needed.\n\nA. Importance of Establishing an Effective Interagency Coordination\n   Program\n\n      There are two primary objectives for establishing effective interagency\ncoordination relating to CIP. First, the CIP Plan requires the Department to\nestablish and maintain effective liaisons with entities proposing and\npromulgating security measures and plans relating to CIP. Doing so ensures\nthat the Department receives and is aware of the most up-to-date\ninformation for protecting its critical IT asset systems.\n\n       Second, the CIAO\xe2\x80\x99s \xe2\x80\x9cPractices for Securing Critical Information Assets\xe2\x80\x9d\nprovides guidance for the Department to identify and characterize the level\nto which Department assets provide support to other government agencies.\nAs part of that process, the Department should establish and maintain\neffective liaisons with all entities for which Department IT systems either\nreceive or provide critical data supporting national security, national\neconomic security, and crucial public health and safety activities. All\nDepartment IT systems either receiving or providing such information must\nbe identified and included in the Department\xe2\x80\x99s MEI as critical IT assets and\nreceive the special protection afforded under the CIP program.\n\n      Establishing and maintaining effective interagency coordination in\nprotecting the Department\xe2\x80\x99s critical IT asset systems is essential. The\nAssistant Attorney General for Administration, in approving the April 1999\n\n                                    - 50 -\n\x0cDepartment\xe2\x80\x99s CIP Plan, recognized the importance of interagency\ncoordination by stating in the plan that, \xe2\x80\x9cIn general, we believe the quickest\nand most effective way to achieve a much higher level of protection from the\nthreats to our critical infrastructure is through the sector structures in\npartnership with the owners, operators and appropriate government\nagencies.\xe2\x80\x9d\n\nB. CIP Plan Requirements for Establishing an Effective Interagency\n   Coordination Program\n\n       The April 1999 CIP Plan addressed the need for cooperation with the\nvarious federal, state, and local agencies involved in the protection of the\ncritical infrastructure as it pertained to Department operations. The\nCIP Plan addressed this need by defining and establishing the specific\nliaisons necessary for the Department to implement a sound CIP program.\nLiaisons were to be established at the national level between program\nelements located at Headquarters and their appropriate counterparts, as well\nas at the state and local levels for Department field offices. The CIP Plan\nestablished the following requirements.\n\n   \xe2\x80\xa2   Each headquarters Program office was to identify current federal and\n       interagency liaisons associated with CIP.\n\n   \xe2\x80\xa2   Field offices were to identify to each Headquarters Program office all\n       new and existing liaisons and memoranda of understanding with\n       federal, state and local entities when these liaisons relate to CIP.\n\n   \xe2\x80\xa2   The Department was to establish a method for ensuring coordination\n       between the various Department entities and liaisons with outside\n       organizations as these liaisons relate to CIP.\n\n   \xe2\x80\xa2   The identification of these relationships was to be forwarded to the CIP\n       Task Force. Each relationship forwarded to the Task Force was to\n       include the organizations involved, Department representative(s),\n       reason for the liaison, Department obligations, special considerations,\n       and the primary mission of the outside organization.\n\n   \xe2\x80\xa2   The CIP Task Force was to maintain the overall database of the\n       liaisons and relationships, and serve as the Department\xe2\x80\x99s focal point\n       for all liaisons and relationships pertaining to CIP.\n\n   \xe2\x80\xa2   By May 7, 1999, the Department was to establish a working group or\n       other means of communication in order to ensure that information was\n       effectively shared between Department components having\n       interagency relationships and liaisons.\n                                     - 51 -\n\x0cC. An Interagency Coordination Program as Envisioned in the CIP\n   Plan Was Not Implemented\n\n     Although the CIP Plan contained comprehensive requirements for\nimplementing an effective interagency coordination program, as detailed\nbelow, such a program was never established within the Department.\n\n  \xe2\x80\xa2   IMSS officials did not ensure that components\xe2\x80\x99 headquarters and field\n      offices developed lists of current federal and interagency liaisons and\n      memoranda of understanding associated with CIP.\n\n  \xe2\x80\xa2   The Department had not established a method for ensuring\n      coordination between the various Department entities and liaisons with\n      outside organizations, as these liaisons relate to critical infrastructure\n      protection.\n\n  \xe2\x80\xa2   Components had not forwarded to the IMSS lists of liaisons and\n      relationships. Consequently, the centralized database of liaisons and\n      relationships was not created and maintained, nor is any entity within\n      the Department serving as the focal point for all liaisons and\n      relationships pertaining to CIP.\n\n  \xe2\x80\xa2   A working group, or other means of communication, was not\n      established to ensure that information is effectively shared between\n      Department components having interagency relationships and liaisons.\n\nD. Reasons Why an Effective Interagency Coordination Program Was\n   Never Established\n\n       A primary reason for the lack of an interagency coordination program\nis that the CIP Task Force charged with serving as the focal point and\nmaintaining the needed database did not address any of the CIP elements\nrelated to interagency coordination. The Task Force last met during calendar\nyear 2000 and no longer exists. There were two reasons why the\ninteragency coordination program as envisioned by the CIP Plan had not\nbeen implemented.\n\n       First, IMSS officials maintained that in developing the Department\xe2\x80\x99s\nMEI for IT assets, no Department IT system either received critical data from\nexternal entities or provided data to external entities supporting national\nsecurity, national economic security, and crucial public health and safety\nactivities. Second, IMSS officials maintained that ongoing activities within\nDepartment components effectively monitored interagency activity. For\n\n                                     - 52 -\n\x0cthese reasons, IMSS officials believe that there was no need to implement a\nvigorous interagency coordination program as called for in the CIP Plan.\n\n      However, we concluded that: a) the IMSS did not properly determine\nwhether critical exchanges of information were ongoing between Department\ncomponents and other entities, and b) ongoing activities within Department\ncomponents did not adequately compensate for the lack of an effective\ninteragency coordination program as required by the CIP Plan.\n\n(1) IMSS Did Not Properly Determine Whether Critical Exchanges of\n    Information Were Ongoing Between Department Components\n    and Other Entities\n\n       In identifying critical IT systems, guidance published by the CIAO\nstates that federal agencies were initially required to develop an inventory of\nall candidate IT systems. To identify the critical IT systems from the list of\ncandidates, agencies could complete an Infrastructure Asset Evaluation\nSurvey. This survey, developed by the CIAO, identifies seven \xe2\x80\x9cgoals\xe2\x80\x9d and\nspecific functions within each goal that are characteristic of goals and\nfunctions performed by critical IT systems. The goals identified in the\nsurvey were:\n\n   \xe2\x80\xa2   perform essential national security missions,\n\n   \xe2\x80\xa2   support state and local governments\xe2\x80\x99 ability to maintain order,\n\n   \xe2\x80\xa2   ensure orderly functions of the economy,\n\n   \xe2\x80\xa2   ensure the general public health and safety,\n\n   \xe2\x80\xa2   deliver minimum essential public services,\n\n   \xe2\x80\xa2   determine the dependency of other government programs on the\n       Department\xe2\x80\x99s IT systems (involving critical exchanges of information),\n       and\n\n   \xe2\x80\xa2   ensure delivery of essential private sector services.\n\n\n\n\n                                     - 53 -\n\x0c      Although there is no hard and fast rule for determining what is or is\nnot a critical IT system, in general the more goals an IT system supports \xe2\x80\x93\nand the more significant functions the system performs within each goal \xe2\x80\x93\nthe more important the IT system is. The more important the IT system is,\nthe higher the chances that the system will be identified as a critical asset.\n\n       We determined that the IMSS did not follow CIAO guidance in\nidentifying its critical IT assets. IMSS officials did not require components to\ndevelop initial inventories of critical IT assets based on the Infrastructure\nAsset Evaluation Surveys of all candidate systems. Instead, components\nwere requested early in calendar year 2000 to develop their inventories\nbased on a four-tiered Impact Level Rating Scheme as described in the\nfollowing chart.\n\n                         Impact Level Rating Scheme\n\n       Impact                              Description\n        Level\n                Would the loss of the asset:\n          1     Prevent the Department from fulfilling its mission, critical national\n                security or national security functions, or from providing continuity of\n                core government services.\n                (Systems that fall in this category constitute critical assets.)\n          2     Significantly debilitate the ability of the Department from fulfilling its\n                mission, critical national security or national security functions, or from\n                providing continuity of core government services.\n          3     Somewhat interfere with the Department\xe2\x80\x99s ability to fulfill its mission,\n                critical national security or national security functions, or from providing\n                continuity of core government services.\n          4     Have no appreciable impact on agency missions.\n            Source: IMSS Instructions for Selecting Critical Assets\n\n      This approach provided little assurance that candidate IT systems were\nadequately evaluated against the more comprehensive seven goals and the\ncorresponding functions within each goal identified in the Infrastructure\nAsset Evaluation Survey. For example, unlike the Infrastructure Asset\nEvaluation Survey, the Impact Level Rating Scheme did not require\ncomponents to consider dependency of other government programs on the\nDepartment\xe2\x80\x99s IT systems and whether critical information exchanges were\noccurring.\n\n       It was only after components had already developed their initial\ninventories of critical IT assets that the IMSS provided components with the\nInfrastructure Asset Evaluation Surveys. For each critical IT system\nidentified, components were instructed to complete the survey for only one\nof the seven goals identified in the survey. The survey goal selected for\n                                       - 54 -\n\x0ccompletion was to be determined by the primary goal actually supported by\neach critical IT system.\n\n      We identified two significant deficiencies with this approach. First, the\npurpose of the surveys was to identify critical IT systems from a list of\ncandidate systems. Using the surveys on an already existing list of critical\nIT systems selected under a less comprehensive methodology was of\nquestionable benefit. Second, IT systems may possess several goals\ncharacteristic of a critical IT system. Requiring components to complete a\nsurvey for only one of the seven goals risks overlooking other goals that\nmay, upon closer analysis, elevate IT systems to critical status.\n\n       The net effect of these weaknesses in identifying the Department\xe2\x80\x99s\ncritical IT systems is that neither the IMSS nor the Department components\nconsidered the dependency of other government programs on the\nDepartment\xe2\x80\x99s IT systems, and whether critical exchanges of information\nwere occurring. As a result, Department IT systems that exchanged critical\ninformation may not have been identified and considered for protection\nunder the CIP program.\n\n     Evidence that such exchanges of critical information may be occurring\nwas documented in a November 13, 2001, memorandum to Department\nCIOs. In that memorandum, the Acting Assistant Attorney General for\nAdministration stated:\n\n      The recent attacks of September 11, 2001, on the United States\n      underscore the critical need for the Department of Justice to\n      take an aggressive role in preventing aliens who engage in or\n      support terrorist activity from entering the United States . . .\n\n      Information technology is a tool that can be used to fight\n      terrorism through improved information sharing with other\n      federal agencies. Through information sharing the overall\n      investigative and intelligence analysis capabilities of the federal\n      government can be enhanced . . . Towards this end, I have\n      initiated an effort within JMD to summarize the current\n      information exchanges between the Department, the\n      Department of State, and the United States Customs Service.\n\n      A draft diagram and a description of the information flows as\n      currently understood by JMD have been prepared. This diagram\n      and the associated narrative provide an overview of the\n      structured information exchanges between four Department\n\n\n                                     - 55 -\n\x0c       components, the Department of State, and the United States\n       Customs Service.\n\n       The diagram provided by the Acting Assistant Attorney General is\npresented in Appendix 9. Although the draft diagram showed 19 FBI, DEA,\nand INS IT systems involved in information exchanges with the\nDepartment of State and the United States Customs Service, only 4 of these\nIT systems were identified by the Department as being critical in the\nJanuary 2001 inventory and 2 were identified as being critical in the\nDecember 2002 inventory.39 Information Management and Security Staff\nofficials indicated that the Department received no critical information from\nexternal entities and indicated that if Department information is critical to\nthe mission of the external entities, then the external entity representative\nshould contact a Department representative. We previously noted in this\nreport that liaisons had not been identified to facilitate the communication\nneeded in this regard.\n\n      Among the remaining 17 systems not identified in either Department\ninventory are the FBI\xe2\x80\x99s National Instant Criminal Background Check System\n(NICS) and Automated Case Support (ACS) System, and the DEA\xe2\x80\x99s Narcotics\nand Dangerous Drugs Information System (NADDIS) as described below.\nWe are not concluding that these are critical systems, but we believe that\nthese systems provide important information to external entities. Without\nan assessment made in concert with external entities, the Department\ncannot ensure that its assets critical to the mission of other agencies have\nbeen adequately identified.\n\n   \xe2\x80\xa2   NICS: The NICS allows firearms dealers to run background checks to\n       ensure firearms are not sold to individuals who are prohibited from\n       possessing firearms. The Department of State sends paper documents to\n       the FBI identifying individuals who have renounced their United States\n       citizenship. These individuals are listed in NICS as ineligible for firearm\n       transfers.\n\n   \xe2\x80\xa2   ACS: The Department of State transmits name check requests to the FBI\n       over a secure network using magnetic tape. The names are checked\n       against the FBI\xe2\x80\x99s ACS System. Paper notifications are sent back to the\n       Department of State.\n\n   \xe2\x80\xa2   NADDIS: The NADDIS system provides information to DEA personnel on\n       people, businesses, vessels, and selected airfields identified through the\n\n       39\n           The four IT systems identified as critical included the FBI\xe2\x80\x99s NCIC 2000 Database,\nthe FBI\xe2\x80\x99s IAFIS, the INS\xe2\x80\x99s IDENT System, and the INS\xe2\x80\x99s CIS.\n\n                                           - 56 -\n\x0c      DEA investigative reporting system. The DEA provides a tape from\n      NADDIS identifying persons to the Department of State on a monthly\n      basis. The Department of State loads the identification into their\n      Consular Lookout and Support System.\n\n(2) Ongoing Activities Within Department Components Did Not\n    Adequately Compensate for the Lack of an Effective Interagency\n    Coordination Program.\n\n     The Department participates in two groups that have the potential to\ncompensate for the lack of an effective interagency coordination program.\nThese groups are the Information Technology Security Officers Working\nGroup (ITSOWG) and the Computer Crime and Intellectual Property Section\n(CCIPS).\n\n      The ITSOWG is composed of the designated computer security officers\nor representatives from each of the components and JMD for the purposes\nof:\n\n  \xe2\x80\xa2   providing a Department forum for discussing IT security issues,\n      problems, and problem resolution;\n\n  \xe2\x80\xa2   providing for the review and discussion of technological developments\n      in the field of computer security;\n\n  \xe2\x80\xa2   increasing components\xe2\x80\x99 awareness of IT security issues including\n      threats to their environments;\n\n  \xe2\x80\xa2   identifying security-related areas where Department standards and\n      guidelines are lacking;\n\n  \xe2\x80\xa2   assisting in the development of these standards and guidelines; and\n\n  \xe2\x80\xa2   participating in the identification of IT security training needs.\n\n      A JMD official also meets periodically with a working group managed\nby the CCIPS of the Department\xe2\x80\x99s Criminal Division to establish uniform\npolicy within the Department on computer crime issues. The CCIPS group\nadvises federal prosecutors and law enforcement agents, comments upon\nand proposes legislation, coordinates international efforts to combat\ncomputer crime, litigates cases, and trains law enforcement groups.\n\n      Neither the ITSOWG nor the CCIPS group specifically addresses CIP\nissues. Absent a working group or other means of communication, the\n\n                                     - 57 -\n\x0cDepartment cannot ensure that information between components is\neffectively shared and CIP issues are addressed.\n\n      According to IMSS staff, the IMSS partially identified the IT support\nprovided by other agencies and its support to other agencies by developing a\ndetailed analysis of systems and interrelations including the direction of the\ndata flow. However, the IMSS\xe2\x80\x99s analysis does not provide all the data\nelements required by the CIP Plan, including organizations involved,\nDepartment representative, reason for liaison, Department obligations,\nspecial considerations, and the primary mission of the outside organization.\n\nE. Conclusions\n\n       The Department\xe2\x80\x99s CIP Plan addressed the critical need for cooperation\nwith the various agencies involved in the protection of the critical\ninfrastructure. The CIP Plan defined and established the specific liaisons\nnecessary for the Department to implement a sound CIP program. However,\nan effective interagency coordination program was not established because\nthe Department did not: 1) ensure that components developed lists of\ncurrent liaisons and memoranda of understanding associated with CIP;\n2) establish a method for ensuring coordination between the various\nDepartment entities and liaisons with outside organizations; 3) create and\nmaintain a centralized database of liaisons and relationships, or establish an\nentity within the Department to serve as the focal point for all liaisons and\nrelationships pertaining to CIP; and 4) establish a working group, or other\nmeans of communication, to ensure that information is effectively shared\nbetween Department components having interagency relationships and\nliaisons.\n\n      These problems resulted in part from the CIP Task Force\xe2\x80\x99s cessation of\noperation in 2000. In addition, the IMSS did not adequately determine\nwhether critical exchanges of information were ongoing between Department\ncomponents and other entities, and it did not initiate another method of\ncompensating for the interagency coordination program called for in the\nCIP Plan.\n\n      Without an effective program for interagency coordination, the\nDepartment cannot ensure effective coordination links exist and that\ninformation will be accessible from Department assets when needed.\n\n\n\n\n                                    - 58 -\n\x0cF. Recommendations\n\n      We recommend that the Assistant Attorney General for Administration:\n\n21.   Compile a list of relationships and contacts with other federal agencies\n      and other entities (foreign, state and local agencies, and the private\n      sector).\n\n22.   Contact external entities to determine whether any Department assets\n      are critical to their missions.\n\n23.   Develop and maintain a database to track liaison and interagency\n      relationships.\n\n24.   Establish a working group to address CIP issues.\n\n\n\n\n                                    - 59 -\n\x0c4. MEETING DEPARTMENT RESOURCE AND ORGANIZATIONAL\n   REQUIREMENTS\n\n      The Department\xe2\x80\x99s CIP Plan required the identification of\n      resources and organization requirements necessary to protect\n      critical assets. This was to be accomplished largely through the\n      efforts of the CIP Task Force. Although the CIP Task Force\n      ceased operating in 2000 and never fully carried out the\n      responsibilities in this area of the Plan, the Department has\n      undertaken some efforts to ensure its resource and\n      organizational requirements are adequately determined.\n      However, full implementation of the CIP Plan has not been\n      achieved. Studies contracted for by JMD in lieu of CIP Task\n      Force studies have not assessed the linkage between budgetary\n      and personnel shortfalls and the Department\xe2\x80\x99s critical\n      infrastructure weaknesses. Completion of this activity is crucial\n      to the Department\xe2\x80\x99s efforts to ensure that its resource and\n      organization requirements have been met.\n\nA. Requirement in the CIP Plan\n\n      The Department\xe2\x80\x99s 1999 CIP Plan provided that:\n\n      Based upon the results of the vulnerability assessments,\n      subsequent mitigation and response plans, additional resources\n      will have to be identified, developed, and/or procured to ensure\n      the protection of the Department\xe2\x80\x99s critical infrastructure.\n\n      The purpose of this section [of the Plan] is to identify, develop,\n      and/or procure the necessary resources to ensure the protection\n      of the Department\xe2\x80\x99s critical infrastructure. Also, the section will\n      determine and establish the appropriate organizational structure\n      through which the protection of identified critical infrastructure\n      assets will be implemented and sustained.\n\n      According to the Plan, the CIP Task Force or its follow-on was to begin\na study to determine the appropriate organizational structure for\nimplementing the actions called for under the Plan.\n\n      We found that the IMSS did not address the resource and\norganizational requirements in the April 2003 draft revision of the CIP Plan.\nThe IMSS staff stated that there was no reason for the omission, but it is\nexpected to be in the next CIP Plan. The CIP Plan is expected to be revised\nagain after the Department completes its Project Matrix review.\n\n                                    - 60 -\n\x0cB. Implementation of the CIP Plan for Resource and\n   Organizational Requirements\n\n      The CIP Plan required the CIP Task Force to conduct a study in 1999 to\ndetermine the appropriate organizational structure for implementing the\nactions called for under the Plan. The study was to address issues such as\norganizational makeup (in terms of the appropriate program office\nrepresentation), mission, responsibilities, intra-Department liaison, and\nreporting chain. The study was also to assess the linkage between\nbudgetary and personnel shortfalls and the Department\xe2\x80\x99s critical\ninfrastructure weaknesses in such areas as computer security, network\nsecurity, network configuration control, aging security systems, and lack of\ntechnically qualified security professionals. However, the CIP Task Force did\nnot accomplish the study referenced above and, as noted in Finding 1, staff\nof the IMSS was unable to explain why the Task Force stopped convening\nduring calendar year 2000.\n\n      We sought to determine if the planned activities had been completed\nseparately by JMD. JMD contracted for two studies to determine resource\nrequirements. First, an August 7, 2000, \xe2\x80\x9cOperational Concept Document for\nInformation Security Program\xe2\x80\x9d (Operational Concept Document) was\nintended to provide an assessment of the IT security program\xe2\x80\x99s focus and/or\norganization to better serve the continuously changing needs of its customer\nbase. The resulting 17-page report discussed the critical elements\nnecessary for a successful IT security program and presented a framework\nfor the realignment of the Department\xe2\x80\x99s IT security organization. Regarding\nthe organization for IT security, the report stated:\n\n     DOJ is comprised of many components with different focuses and\n     interests. This very diversity accentuates the need to have an\n     enterprise-wide Department of Justice IT security program that\n     provides departmentwide policy, minimum-security\n     requirements, standards, guidance, enforcement, and other\n     value-added services to the components.\n\n     A more effective program organization would be a single\n     organization, with a single program, where all IT is covered\n     under a single policy, inspected against the same requirements,\n     trained by a single training staff, subject to a single set of\n     standards, required to undergo a consistent security process,\n     and where all IT users have a single organization to contact for\n     IT security assistance.\n\n\n\n                                   - 61 -\n\x0c      We compared the Operational Concept Document to the requirements\nof the CIP Plan. The Operational Concept Document met some, but not all,\nof the CIP Plan requirements. The Document briefly addressed\norganizational makeup, mission, responsibilities, and policy\nrecommendations for computer and network security. It also presented a\nframework for the realignment of the Department IT security organization.\nHowever, the Operational Concept Document did not meet the plan\nrequirements for a study of intra-Department liaisons, the reporting chain,\nresponsibilities, and the linkage between budgetary and personnel shortfalls\nand critical infrastructure-specific weaknesses.\n\n      Recognizing the need for a more sophisticated study of resource\nneeds, in light of the attacks of September 11, 2001, and the Department\xe2\x80\x99s\ncrucial counterterrorism responsibilities, in July 2002 the Department\ncontracted for an additional study, \xe2\x80\x9cThe Information Technology Workforce\nAssessment\xe2\x80\x9d (Workforce Assessment).\n\n      In completing the Workforce Assessment, a contractor was engaged to\nwork with the Office of the CIO to identify the additional workforce capability\nneeds of a newly proposed CIO organization. The resulting 165-page report,\ndated October 15, 2002, provided assessments of human capital capabilities,\nhuman capital solutions, staffing capabilities gaps and gap-closing\nstrategies, and an implementation plan.\n\n      We compared the Workforce Assessment to the study requirements\ncontained in the 1999 CIP Plan as noted above. The Workforce Assessment\nmet the plan requirements for study of organizational makeup, mission,\nresponsibilities, intra-Department liaisons, and reporting chain. However,\nneither the Workforce Assessment nor the previously completed\n\xe2\x80\x9cOperational Concept Document for Information Security Program\xe2\x80\x9d provided\nan assessment of the linkage between budgetary and personnel shortfalls\nand the Department\xe2\x80\x99s critical infrastructure-specific weaknesses in such\nareas as computer security, network security, network configuration control,\naging security systems, and lack of technically qualified security\nprofessionals. We asked the IMSS staff for an explanation as to why no\nassessment of linkages between budgetary and personnel shortfalls and the\nDepartment\xe2\x80\x99s critical infrastructure weaknesses was made but we received\nno response.\n\n      In summary, the October 2002 Workforce Assessment essentially\ncompletes the Department\xe2\x80\x99s planned 1999 activity to determine the\nappropriate organizational structure for implementing actions called for\nunder the CIP Plan. Information Management and Security Staff officials\nindicated that they believed the CIP Plan requirement for organizational\n\n                                    - 62 -\n\x0crequirements was completed in FY 2000 with the preparation of the\nOperational Concept Document. While we agree that the\nOperational Concept Document met some of the plan requirements, it was\nnot sufficiently detailed to provide Department officials with the support\nneeded to effectively determine resource and organizational requirements.\nIn addition, the Department still needs to complete an assessment of the\nlinkage between budgetary and personnel shortfalls and the Department\xe2\x80\x99s\ncritical infrastructure weaknesses. Completion of this activity is crucial to\nthe Department\xe2\x80\x99s efforts to ensure that its resource and organization\nrequirements can be met.\n\nC. Recommendation\n\n      We recommend that the Assistant Attorney General for Administration:\n\n25.   Complete an assessment of the linkage between budgetary and\n      personnel shortfalls and the Department\xe2\x80\x99s critical infrastructure\n      weaknesses.\n\n\n\n\n                                    - 63 -\n\x0c5. ESTABLISHING EFFECTIVE RECRUITING, EDUCATING, AND\n   AWARENESS PROGRAMS\n\n      The Department\xe2\x80\x99s 1999 CIP Plan recognized the need to recruit,\n      retain, and educate both Department and contractor personnel in\n      the areas of physical and information security. The Plan called\n      for the completion of various programs to ensure that these\n      needs were met. The Department has accomplished some of its\n      efforts in the areas of recruitment, education and awareness.\n      For example, the Department recently implemented a\n      departmentwide initiative to provide computer security\n      awareness training. However, we found that the recruitment\n      and retention program called for in the Plan was not fully\n      implemented.\n\nA. Planned Programs\n\n       The April 1999 CIP Plan stated that the Department would establish a\nprogram to address the recruitment and retention requirements necessary\nfor a successful critical infrastructure protection program. The Department\xe2\x80\x99s\n1999 CIP Plan recognized the need to recruit, retain, and educate both\nfederal and contractor personnel in the areas of physical and information\nsecurity. The requirements in this area were to include creating or\nmodifying new job series/position descriptions to ensure that individuals\ncharged with oversight and protection of the identified critical infrastructure\nassets are competent and trained. This effort was also to address the\nretention of trained personnel in order to ensure the continuity of program\nexecution. Training and capability requirements for individuals were to be\nbased on national standards and criteria.\n\n       The CIP Plan also stated that the Department would establish an\neducation, training, and awareness program specifically targeted at critical\ninfrastructure protection. This program was to ensure that all personnel\nwithin the Department recognize their individual responsibilities for\ninfrastructure protection and the potential outcomes of negligent actions on\ntheir part.\n\n      To accomplish the requirements of the CIP Plan, the CIP Task Force\nwas to work with JMD Personnel Staff to develop criteria for modifying or\ncreating a new job series in support of critical infrastructure protection. The\nCIP Task Force was also to work with the Department\xe2\x80\x99s CIO and\n\n\n\n                                     - 64 -\n\x0cSecurity Officer to develop and promulgate training criteria and standards to\nensure that individuals in key positions with the Department were proficient\nin their jobs, as related to critical infrastructure protection.\n\n      We found that the IMSS failed to address requirements for\nrecruitment, education, and awareness in the April 2003 draft revision of the\nCIP Plan. The IMSS staff indicated that there was no reason for the\nomission, but they expect to include these areas in the next CIP Plan. The\nCIP Plan is expected be revised again after the Department completes its\nProject Matrix review.\n\nB. Recruitment\n\n      We requested documentation for the recruitment and retention\nprogram established under the requirements of the CIP Plan. We were told\nthat JMD had not established the recruitment program identified as\nnecessary to implement a successful CIP program. We requested an\nexplanation from IMSS staff as to why no formal recruitment program was\nestablished, but we received no response. We discussed with IMSS staff the\nprocess by which IT security personnel are recruited. We were told that the\nIMSS recruits for IT personnel through the Office of Personnel Management\nvia job series GS-2210, Information Technology Specialist. Although we\nwere told that the generic IT Specialist announcement is modified to meet\nthe CIP role fulfilled by the IMSS, the IMSS was unable to provide copies of\nthe modified announcements for our review.\n\nC. Education and Training\n\n      The CIP Plan recognizes that education and training are necessary for\nthe successful implementation of any information security program. These\nelements are related, but the elements involve distinctly different levels of\nlearning. According to the CIAO\xe2\x80\x99s Practices for Securing Critical Information\nAssets guidance:\n\n      Training is geared to understanding the security aspects of the\n      particular IT systems and applications that the individual uses. For\n      example, all users need to learn the security features of the office\n      automation software resident on their respective systems. Users also\n      need to understand the security features of the local area network to\n      which they are connected, as well as security issues related to\n      connectivity to the Internet, intranet, and/or extranet. Education\n      differs from training in both breadth and depth of knowledge and skills\n      acquired. Security education, including formal courses and\n\n\n                                    - 65 -\n\x0c     certification programs, is most appropriate for an organization\xe2\x80\x99s\n     designated security specialists.\n\n      The Department\xe2\x80\x99s July 2001 document titled, \xe2\x80\x9cThe Information\nTechnology Security Awareness, Training, and Education Standard and\nImplementation Guidelines\xe2\x80\x9d (Guidelines), contained minimum training\nrequirements and implementation guidelines applying to all individuals,\norganizations, and entities that control, operate, maintain, and access\nDepartment of Justice systems containing SBU information.\n\n       The Guidelines generally met the requirements of the CIP Plan for\ntraining and established that full-time security professionals (regardless of\njob title, series, or current level of expertise) must receive 40 hours of\nformal security training per year and all part-time security professionals\nmust receive 24 hours of formal security training per year. This training\nmay include, but is not limited to, workshops, free seminars, security\nconferences, computer-based training, and product-specific training, as long\nas the total number of hours in attendance is equal to or greater than 40.\nHowever, attendance at vendor marketing briefings cannot be used to meet\nthis requirement.\n\n       We sought to test the extent to which IMSS staff met the annual\ntraining requirement. We were told that each IT security staff member was\nrequired to have the necessary 40 hours of security training and had met\nthat requirement annually. However, we were unable to verify this assertion\nbecause the IMSS retained documentation only for course registration and\nnot for course completion.\n\nD. Awareness\n\n      Security awareness can create sensitivity to the threats and\nvulnerabilities of computer systems and the recognition of the need to\nprotect data, information, and the means of processing them. The\nfundamental value of IT security awareness programs is that the programs\nset the stage for further training by bringing about a change in attitudes,\nwhich in turn can change the organizational culture.\n\n       The IMSS has implemented an IT Security Awareness Training\nInitiative for the Department. As part of this effort, the Department uses a\ncommercial off-the-shelf product, known as Computer Security Awareness\nTraining (CSAT), to provide awareness training. The CSAT is a web-based\ntraining tool that delivers important general IT security training to all\nDepartment Government and Contractor system users. The CSAT fulfills\ntraining requirements by providing instruction on a number of security topics\n\n                                    - 66 -\n\x0csuch as the proper selection and protection of passwords, physical security,\ne-mail and Internet security, and virus protection. The Department\xe2\x80\x99s efforts\nappear sufficient to satisfy CIP requirements for computer awareness.\n\nE. Recommendation\n\n      We recommend that the Assistant Attorney General for Administration:\n\n26.   Establish a personnel recruitment and retention program as envisioned\n      in the CIP Plan.\n\n\n\n\n                                   - 67 -\n\x0c6. FOLLOW-UP ON THE PRIOR OIG AUDIT OF DEPARTMENT\n   CRITICAL INFRASTRUCTURE PLANNING FOR THE PROTECTION OF\n   COMPUTER BASED INFRASTRUCTURE\n\n      In our November 2000 report on \xe2\x80\x9cDepartment Critical\n      Infrastructure Protection \xe2\x80\x93 Planning for the Protection of\n      Computer Based Infrastructure,\xe2\x80\x9d we found that the Department\n      had not yet: 1) identified all of its mission-essential assets,\n      2) assessed the vulnerabilities of each of its systems,\n      3) developed remedial action plans for identified vulnerabilities,\n      or 4) developed a multi-year funding plan for reducing\n      vulnerabilities. During this current audit, we tested follow-up\n      actions taken regarding these recommendations. We found that\n      that the IMSS had completed some of the required corrective\n      actions, but further work is required regarding the MEI\n      inventory, plans to address weaknesses identified in vulnerability\n      assessments, and development of a multi-year funding plan for\n      the remediation of vulnerabilities.\n\n       PDD 63 required that the Department and other government\ndepartments and agencies prepare plans for protecting their critical\ninfrastructure. The plans required the determination of the Department\xe2\x80\x99s\nminimum essential infrastructure, an assessment of each asset\xe2\x80\x99s\nvulnerabilities, and plans to remediate those vulnerabilities. Our prior audit\nfocused on the adequacy of the Department\xe2\x80\x99s planning and assessment\nactivities for protecting its critical computer-based infrastructure.\n\n      In our November 2000 report, we recommended that the Assistant\nAttorney General for Administration:\n\n \xe2\x80\xa2    inventory the Department\xe2\x80\x99s MEI in a manner that: a) uses the CIAO\xe2\x80\x99s\n      definition of MEI; b) links the MEI to those Department missions that\n      are absolutely necessary to national security, national economic\n      security, or continuity of government operations; and\n      c) documents the criteria used to select each asset;\n\n \xe2\x80\xa2    complete vulnerability assessments of the Department\xe2\x80\x99s MEI by\n      December 31, 2000;\n\n \xe2\x80\xa2    develop remedial plans to address weaknesses identified by the\n      vulnerability assessments; and\n\n \xe2\x80\xa2    develop a multi-year funding plan for the remediation of\n      vulnerabilities.\n\n                                    - 68 -\n\x0c      In October 2000, JMD concurred with our findings and\nrecommendations, and agreed to implement the appropriate corrective\nactions. During our current audit, we tested the extent to which the\nrecommended corrective actions have been completed.\n\nA. Inventory the Department\xe2\x80\x99s MEI\n\n       The Department revalidated its MEI in December 2002. We found that\nthe Department utilized the CIAO\xe2\x80\x99s definition of MEI and a set of modified\nsurveys to validate the MEI. Agency MEI was defined as \xe2\x80\x9cthe framework of\ncritical organizations, personnel, systems, and facilities that are absolutely\nrequired in order to provide the inputs and outputs necessary to support\ncore processes. Core processes are those that are essential to\naccomplishing the organization\xe2\x80\x99s core missions as they relate to national\nsecurity, national economic security, or continuity of government services.\xe2\x80\x9d\n\n      For each asset included in the December 2002 revalidated MEI, the\nIMSS provided appropriate links to the criteria and strategic goals contained\nin the Department\xe2\x80\x99s strategic plan revised as of November 2001.\n\n       The IMSS established and documented the selection criteria and\nprocedures used in developing the December 2002 revalidated MEI. The\nIMSS also worked with the components in revising the MEI inventory and\ncoordinated its activities with the CIAO. However, as noted in Finding 3 of\nthis report, we are concerned that neither the IMSS nor the Department\ncomponents considered the dependency of other government programs on\nthe Department\xe2\x80\x99s IT systems, and whether critical exchanges of information\nwere occurring. As a result, Department IT systems that exchanged critical\ninformation with external entities may not have been identified and\nconsidered adequately for protection under the CIP program.\n\nB. Complete Vulnerability Assessments of the Department\xe2\x80\x99s MEI by\n   December 31, 2000\n\n      In March 2002, the Department completed a vulnerability assessment\nfor assets contained in the January 2001 MEI inventory. However, as\ndiscussed in Finding 1 of this report, vulnerability assessments have not\nbeen completed for assets newly added to the MEI and the assets of the\nATF.\n\n\n\n\n                                    - 69 -\n\x0cC. Remedial Plans to Address Weaknesses Identified by the\n   Vulnerability Assessments\n\n     Finding 1 of this report details our significant concerns regarding the\nmanagement of a risk mitigation program, and we provide eight\nrecommendations regarding improvement of this program.\n\nD. Multi-Year Funding Plan for the Remediation of\n   Vulnerabilities\n\n      As noted in Finding 1 of this report, as part of the March 2002\nVulnerability Assessment, the Department prepared a multi-year funding\nplan. The Plan identifies that the Department is expected to have spent\n$128 million in FY 2003 to improve IT security. However, the plan is not\nlinked to the identified vulnerabilities and is not useful in identifying whether\nthe funding amounts presented are adequate to remediate IT systemic\nvulnerabilities.\n\n\n\n\n                                     - 70 -\n\x0c                                                              APPENDIX 1\n\n              OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n      The primary objectives of this audit were to determine whether the\nDepartment has effectively implemented its plans for: 1) mitigating risks;\n2) managing emergencies; 3) coordinating resources with other agencies;\n4) meeting its resource and organizational requirements; and 5) recruiting,\neducating, and maintaining awareness relating to protecting its critical\ncyber-based infrastructures.\n\nScope and Methodology\n\n      The audit was performed in accordance with Government Auditing\nStandards, and included tests and procedures necessary to accomplish the\naudit objectives. We conducted work at the offices of JMD\xe2\x80\x99s Information\nManagement and Security Staff located in Washington, D.C.\n\n      Our audit began July 22, 2002. To perform our audit, we conducted\ninterviews with officials from JMD. Justice Management Division officials\nwere from the IMSS, CSS, SEPS, and Budget Staff. Additionally, we\nreviewed documents related to CIP management policies and procedures,\nproject management guidance, strategic plans, IT systems certification and\naccreditation, budget documentation, organizational structures,\nCongressional testimony, and prior GAO and OIG reports.\n\n     To determine whether the IMSS was effectively managing the CIP\nprogram, we followed guidance issued by the PCIE and ECIE Audit\nCommittee. See Appendix 7 for description of PCIE/ECIE.\n\n      We compared the evidence collected from documents reviewed and\ninterviews to the practices defined in the Department\xe2\x80\x99s CIP Plan; PDD 63;\nand The Practices for Securing Critical Information Technology Assets, issued\nby the CIAO\xe2\x80\x99s office. Additionally, we followed up on recommendations from\nour prior audit report, entitled \xe2\x80\x9cDepartment Critical Infrastructure \xe2\x80\x93 Planning\nfor the Protection of Computer Based Infrastructure Report,\xe2\x80\x9d issued\nNovember 2000. In assessing the status of the Department\xe2\x80\x99s effort to close\nthe recommendations, we assessed the adequacy of: 1) the development of\nthe MEI, particularly after the 9/11 terrorist attacks, 2) the vulnerability\nassessment, and 3) the multi-year funding plan.\n\n\n\n                                    - 71 -\n\x0c       To determine whether the Department had adequately implemented\nits Risk Mitigation Plan for vulnerabilities identified in the vulnerability\nassessment, we reviewed the vulnerability assessment, tabulated the\nvulnerabilities identified, tracked the status of the IMSS\xe2\x80\x99s efforts in\nmonitoring mitigation activities, and noted variances. Additionally, based\non comments by IMSS officials, we assessed whether resources were\nadequate to fund the risk mitigating activities and whether risk mitigation\nactivities would be completed by May 2003.\n\n      In assessing the Department\xe2\x80\x99s implementation of their emergency\nmanagement program, IMSS staff provided a description of the emergency\nmanagement program. We examined the Department\xe2\x80\x99s management policy\nfor: 1) indications and warnings; 2) incident collection, reporting, and\nanalysis; 3) response and 4) contingency plans. Additionally, we attempted\nto verify whether these functions were adequately tested.\n\n       Our assessment of interagency coordination included a review of the\nmethodology that the IMSS used to determine the critical support other\nentities\xe2\x80\x99 assets provide to the Department and that the Department provides\nto other agencies. We assessed the Infrastructure Asset Evaluation Surveys\ncompleted by Department components. Additionally, we determined the\nstatus of the development of a list of liaisons and interagency relationships\nas it relates to CIP.\n\n      We evaluated the Department\xe2\x80\x99s comparison of its organizational\nrequirements to existing resources and the status of corrective actions or\nplans to correct the variances identified. We reviewed independent studies\ncompleted to analyze current organizational makeup, identify needed skills\nin the IT security staff, identify gaps, and propose organizational and staffing\nchanges.\n\n       We evaluated the IMSS\xe2\x80\x99s current recruitment efforts and the generic\ncriteria used to recruit IT security professionals. We reviewed resource\nneeds identified through other reviews and, as it pertained to CIP, evaluated\nwhether variances had been corrected.\n\n       We evaluated education and training for computer security\nprofessionals. We reviewed the generic requirements for the GS-2210,\nComputer Specialist, job series and evaluated the specific IMSS training\nrequirements. We further assessed awareness policy, the purpose of which\nis to sensitize workers regarding the importance of security.\n\n\n\n\n                                     - 72 -\n\x0c                                                         APPENDIX 2\n\n                 ABBREVIATIONS AND ACRONYMS\n\nACS       Automated Case Support\nATF       Bureau of Alcohol, Tobacco, Firearms, and Explosives\nC&A       Certification and Accreditation\nCCIPS     Computer Crime and Intellectual Property Section\nCIAO      Critical Infrastructure Assurance Office\nCIO       Chief Information Officer\nCIP       Critical Infrastructure Protection\nCIPTF     Critical Infrastructure Protection Task Force\nCIS       Central Index System\nCJIS      Criminal Justice Information Services\nCSAT      Computer Security Awareness Training\nCSIRC     Computer Security Incident Response Capability\nCSS       Computer Services Staff\nDEA       Drug Enforcement Administration\nDHS       Department of Homeland Security\nDOJ       Department of Justice\nDOJCERT   Department of Justice Computer Emergency\n             Response Team\nECIE      Executive Council on Integrity and Efficiency\nEIS       El Paso Intelligence Center Information System\nENFORCE   Enforcement Case Tracking System\nEPIC      El Paso Intelligence Center\nFBI       Federal Bureau of Investigation\nFedCIRC   Federal Computer Incident Response Center\nFISA      Foreign Intelligence Surveillance Act\nGAO       General Accounting Office\nGISRA     Government Information Security Reform Act\nGSA       General Services Administration\nIAFIS     Integrated Automated Fingerprint Identification System\nIDS       Intrusion Detection System\nIDENT     Automated Biometric Identification System\nIISNET    Intelligence Information System Network\nIMSS      Information Management and Security Staff\nINS       Immigration and Naturalization Service\nINSINC    INS Integrated National Communications System\nIT        Information Technology\nITSOWG    Information Technology Security Officers Working\n             Group\nITSS      Information Technology Security Staff\nIV&V      Independent Verification and Validation\n                                 - 73 -\n\x0cJCN      Justice Consolidated Network\nJDC-D    Justice Data Center \xe2\x80\x93 Dallas\nJDC-W    Justice Data Center - Washington\nJMD      Justice Management Division\nMEI      Minimum Essential Infrastructure\nMAN      Metropolitan Area Network\nNADDIS   Narcotics and Dangerous Drugs Information System\nNCIC     National Crime Information Center\nNICS     National Instant Criminal Background Check System\nNIPC     National Infrastructure Protection Center\nNSI      National Security Information\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPOA&Ms   Plans of Actions and Milestones\nPCIE     President\xe2\x80\x99s Council on Integrity and Efficiency\nPDD      Presidential Decision Directive\nSAMNET   Secured Automated Messaging Network\nSBU      Sensitive but Unclassified\nSEPS     Security and Emergency Planning Staff\nSIOC     Strategic Information Operations Center\nSMART    Security Management and Report Tool\nSOD      Special Operations Division\nWAN      Wide Area Network\n\n\n\n\n                               - 74 -\n\x0c                                                                 APPENDIX 3\n\n         STATEMENT ON COMPLIANCE WITH LAWS AND\n                      REGULATIONS\n\n       We have audited the Department\xe2\x80\x99s implementation of plans to protect\nits cyber-based infrastructure. We reviewed the Department\xe2\x80\x99s efforts to\nmitigate risks identified from vulnerability assessment; manage\nemergencies; coordinate with other agencies; meet its resource and\norganizational requirements; and assess recruitment, education, and\nawareness efforts.\n\n       In connection with the audit, and as required by Government Auditing\nStandards, we reviewed program activities and records to obtain reasonable\nassurance about the Department\xe2\x80\x99s compliance with laws and regulations\nthat, if not complied with, we believe could have a material effect on\nprogram operations. Compliance with laws and regulations applicable to the\nDepartment\xe2\x80\x99s critical infrastructure planning is the responsibility of the\nJustice Management Division.\n\n      Our audit included examining, on a test basis, evidence about laws and\nregulations. Specifically, we conducted our tests against the relevant\nportions of:\n\n   \xe2\x80\xa2   Presidential Decision Directive 63, The Clinton Administration\'s Policy\n       on Critical Infrastructure Protection, dated May 22, 1998;\n\n   \xe2\x80\xa2   Practices for Securing Critical Information Assets, Critical\n       Infrastructure Assurance Office, dated January 2000;\n\n   \xe2\x80\xa2   Department of Justice Order 2640.2D, Information Technology\n       Security, approved July 12, 2001; and\n\n   \xe2\x80\xa2   The Government Performance and Results Act of 1993.\n\n      Except for those issues cited in the Findings and Recommendations\nsection of the report, our tests indicated that, for those items reviewed, the\nDepartment was in compliance with the laws and regulations referred to\nabove. With respect to those transactions not tested, nothing came to our\nattention that caused us to believe that Department management was not in\ncompliance with the laws and regulations cited above.\n\n\n\n\n                                      - 75 -\n\x0c                                                               APPENDIX 4\n\n            STATEMENT ON MANAGEMENT CONTROLS\n\n       In planning and performing our audit of the Department\xe2\x80\x99s\nmanagement of its planning and assessment activities for protecting its\ncritical infrastructure, we considered the Department\xe2\x80\x99s management controls\nfor the purpose of determining our auditing procedures. This evaluation was\nnot made for the purpose of providing assurance on the management control\nstructure as a whole; however, we noted certain matters that we consider\nreportable conditions under Government Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention relating\nto significant deficiencies in the design or operation of the management\ncontrol structure that, in our judgment, could adversely affect the\nDepartment\xe2\x80\x99s ability to effectively manage projects in support of its CIP\nplanning. During our audit, we found the following management control\ndeficiencies.\n\n   \xe2\x80\xa2   The IMSS did not adequately oversee risk mitigation actions from\n       components to ensure that vulnerabilities would be mitigated by\n       May 2003.\n\n   \xe2\x80\xa2   The Department has not ensured testing of its contingency plans for\n       the Department\'s critical systems or other aspects of its emergency\n       management plan.\n\n   \xe2\x80\xa2   The Department has not documented its interagency and liaison\n       relationships.\n\n   \xe2\x80\xa2   The IMSS could not document that the Department\'s critical systems\n       complied with the Department\'s requirements (Department Order\n       2640.2D).\n\n       Because we are not expressing an opinion on the Department\xe2\x80\x99s overall\nmanagement control structure, this statement is intended for the\ninformation and use of the Department in managing its CIP program. This\nrestriction is not intended to limit the distribution of this report, which is a\nmatter of public record.\n\n\n\n\n                                     - 76 -\n\x0c                                                                           APPENDIX 5\n\n            DEPARTMENT OF JUSTICE\xe2\x80\x99S COMPUTER-BASED\n              MINIMUM ESSENTIAL INFRASTRUCTURES\n\nDepartment                   Assets from                               Assets from\nComponent                 January 2001 MEI                        December 2002 MEI\n   DEA              El Paso Intelligence Center (EIS)                   EPIC EIS\n                             Mercury (M2K)                                 M2K\n                                   Merlin                                 Merlin\n                                 Firebird                                Firebird\n                               Model 204                                Model 204\n   FBI                                                         Centralized Data Intercept\n                                                                   Electronic File Room\n                                                                   Wide Area Network\n                                                                         GESCAN\n                                                                Firebird nodes in SOD and\n                                                                     Command Center\n                                                                    Key Asset Database\n                                                                   Secure Radio System\n                                                             Digital Storm Collection Systems\n\n                      Mainframe and applications                Mainframe and applications\n\n                 Criminal Justice Information System\n                              (CJIS \xe2\x80\x93 WAN)\n                                 InfraGard\n               Integrated Automated Fingerprint ID System                 IAFIS\n                                   (IAFIS)\n             National Crime Information Center System 2000              NCIC 2000\n                                (NCIC 2000)\n                     FBI Wide Area Network (FBI NET)                     FBI NET\n             Intelligence Information System (IISNET)\n               Secured Automated Messaging Network\n                                 (SAMNET)\n   INS                 Central Index System (CIS)\n                  Enforcement Case Tracking System\n                                (ENFORCE)\n                  Automated Biometric Identification\n                             System (IDENT)\n              INS Integrated National Communications\n                             System (INSINC)\n   JMD              Justice Consolidated Network (JCN)                     JCN\n                     Justice Data Center (JDC) \xe2\x80\x93 Dallas                   JDC-D\n                            Computing Platforms\n                     Justice Data Center \xe2\x80\x93 Washington                     JDC-W\n                            Computing Platforms\n                                                               Metropolitan Area Network\n                                                                         (MAN)\n\n    Source: Justice Management Division\xe2\x80\x99s 1999 CIP Plan (with added appendices) and\n    April 2003 Draft CIP Plan\n    Legend: Bold Italicized items \xe2\x80\x93 Deletions from MEI;\n              Bolded Items \xe2\x80\x93 Additions to MEI\n\n                                           - 77 -\n\x0c                                                                            APPENDIX 6\n\n                        CRITICAL ASSET DESCRIPTIONS\n\nComponent             System Name                                  Description\n   DEA                     EIS                    EIS is a centralized computer network\n                                                  comprised of a message handling system, a\n                                                  Geographic Information System, office\n                                                  automation tools, the EPIC Internal\n                                                  Database, and an automated external\n                                                  databases query capability.\n\n   DEA                    Mercury                 Mercury is a record message traffic system\n                                                  providing DEA connectivity in offices within\n                                                  and outside the continental United States\n                                                  offices.\n\n   DEA                     Merlin                 Merlin provides DEA intelligence analysts\n                                                  with access to classified information and\n                                                  special reports, office automation\n                                                  capabilities, database information, and\n                                                  analytical tools\n\n   DEA                    Firebird                Firebird, the general support system, is the\n                                                  DEA office automation infrastructure\n                                                  upgrade initiative and provides DEA\n                                                  personnel with an intuitive interface for\n                                                  automating the investigative report process,\n                                                  sharing case information, and performing\n                                                  analysis and administrative activities.\n\n   DEA           Centralized Data Intercept       The Centralized Data Intercept serves as a\n                                                  central collection and distribution point for\n                                                  the call data information related to Title III\n                                                  intercepts.40\n\n\n\n            40\n              Title III of the Omnibus Crime Control and Safe Streets Act of 1968 provided for\n    the use of court-ordered electronic surveillance in the investigation of certain specified\n    violations. The law provided that wiretaps could be used in emergency situations, but if a\n    warrant was not obtained within 48 hours then any information obtained could not be used\n    in court or even revealed.\n\n                                              - 78 -\n\x0cDEA             Model 204             Model 204 Database Applications are\n                                      mainframe investigative databases that\n                                      support enforcement of laws.\n\n\n\n\nDEA        Electronic File Room       The Electronic File Room is the central soft\n                                      copy storage portion of the DEA SBU -\n                                      investigative files.\n\nDEA        Wide Area Network          DEA WAN consists of e-mail servers to\n                                      support classified and SBU operations.\n\nDEA              GESCAN               GESCAN is the DEA\'s automated message\n                                      handling system.\n\nDEA     Firebird nodes in Special   Firebird nodes consists of Firebird NT\n      Operations Division (SOD) and Server, Exchange, MS Office, peripherals\n            Command Center          workstations and LAN wiring for the backup\n                                    of SOD and Command Center SBU NT file\n                                    services and e-mail at the offsite facility in\n                                    Chantilly, VA, to NT Server.\n\nFBI    Mainframe and Applications     The FBI mainframes contain investigative\n                                      and administrative applications necessary\n                                      for the FBI to perform its designated duties\n                                      in securing domestic security, enforcing\n                                      Federal laws, and protecting the rights and\n                                      interests of United States persons.\n\nFBI        Key Asset Database         The Key Asset Database is a database of\n                                      information concerning Key Assets within\n                                      each field office\'s jurisdiction, establish lines\n                                      of communication with Key Asset owners\n                                      and operators to improve cyber and\n                                      physical security, and enhance ongoing\n                                      coordination with other Federal, state and\n                                      local government entities, to ensure their\n                                      involvement in the protection of critical\n                                      infrastructures.\n\n\n\n\n                                  - 79 -\n\x0cFBI         CJIS WAN                CJIS WAN is the communications\n                                    infrastructure that provides electronic\n                                    connectivity between state/local law\n                                    enforcement agencies, forensic/ballistic\n                                    laboratories, and the FBI.\n\n\nFBI          InfraGard              InfraGard is an information sharing system\n                                    for computer intrusion incidents and system\n                                    vulnerabilities.\n\nFBI            IAFIS                IAFIS is a nationwide mainframe system\n                                    that provides state of the art fingerprint\n                                    identification processes and criminal history\n                                    information for use by criminal justice and\n                                    law enforcement agencies.\n\nFBI         NCIC 2000               NCIC 2000 is the nationwide criminal justice\n                                    information application that provides the\n                                    law enforcement community with immediate\n                                    access to documented criminal information\n                                    vital to effective criminal justice operations.\n\nFBI   Digital Storm Collection      The FBI\'s Digital Storm Collection Systems\n              Systems               provide for the ability to operate Foreign\n                                    Intelligence Surveillance Act (FISA)\n                                    Electronic Surveillance activities and collect\n                                    and remotely transfer FISA information.\n\nFBI          FBI NET                FBINET is a general support system which\n                                    provides worldwide communications support\n                                    to the FBI\'s investigative and intelligence\n                                    applications at 500 locations in the\n                                    United States and approximately\n                                    35 overseas locations.\n\nFBI           IISNET                IISNET is a major application processing\n                                    classified data. The system is considered to\n                                    be the FBI\'s path for the Department of\n                                    Defense TS/SCI network.\n\n\n\n\n                                 - 80 -\n\x0cFBI   Secure Mobile Radio System   The FBI\'s Land Mobile Radio Systems\n                                   supports secure, mobile, tactical\n                                   communications throughout the\n                                   United States.\n\nFBI            SAMNET              SAMNET is a major application and\n                                   processes classified data. SAMNET is a\n                                   messaging system and provides access to\n                                   the Defense Special Security\n                                   Communications System from\n                                   approximately 60 field locations.\n\nINS              CIS               CIS is a major application. CIS contains\n                                   information on persons of interest to the\n                                   INS, along with summary data from other\n                                   INS systems.\n\nINS           ENFORCE              ENFORCE is an event-based case\n                                   management system, integrating subject\n                                   processing, biometric identification,\n                                   allegations and charges, preparation and\n                                   the printing of appropriate forms.\n\nINS             IDENT              IDENT is a two-fingerprint and photo image\n                                   capture identification application that\n                                   enables INS offers to quickly identify\n                                   persons about whom INS has information.\n\nINS            INSINC              INSINC is the INS data communications\n                                   infrastructure for non-classified processing.\n\nJMD           JCN-MAN              The MAN provides ATM services for\n                                   22 Department resources and facilities\n                                   within the D.C. metropolitan area.\n\n\n\n\n                               - 81 -\n\x0cJMD   JDC-D      JDC-D provides enterprise mainframe and\n                 server platform support for mission critical\n                 applications such as INS CIS.\n\nJMD   JDC-W      JDC-W provides enterprise mainframe and\n                 service platform support for mission critical\n                 applications such as DEA Model 204\n                 Database Applications.\n\nJMD    JCN       JCN is a general support system providing\n                 the Department with a state-of-the-art high\n                 capacity communications backbone that\n                 consolidates individual Department\n                 components\' telecommunications networks\n                 into one network to reduce costs, increase\n                 reliability, simplify network management,\n                 provide a common security approach,\n                 support emerging requirements of new\n                 applications, and foster interoperability and\n                 cooperation between components and non-\n                 Department clients.\n\n\n\n\n              - 82 -\n\x0c                                                             APPENDIX 7\n\n                      PCIE/ECIE DESCRIPTION\n\n  The President\'s Council on Integrity and Efficiency (PCIE) and the\nExecutive Council on Integrity and Efficiency (ECIE) were established by\nExecutive Order 12805, May 11, 1992, to:\n\n  \xe2\x80\xa2   address integrity, economy, and effectiveness issues that transcend\n      individual government agencies, and\n\n  \xe2\x80\xa2   increase the professionalism and effectiveness of Inspector General\n      (IG) personnel throughout the government.\n\n      To accomplish their mission, the PCIE and ECIE members look to\nconduct interagency and inter-entity audit, inspection, and investigation\nprojects to promote economy and efficiency in Federal programs and\noperations and address more effectively governmentwide issues of fraud,\nwaste, and abuse. The Council members also develop policies, standards,\nand approaches to aid in the establishment of a well-trained and highly\nskilled IG workforce.\n\n      The PCIE is primarily comprised of the Presidentially-appointed IGs\nand the ECIE is primarily comprised of the agency head-appointed IGs. The\nDeputy Director for Management of the Office of Management and Budget\nchairs both Councils. The Chair appoints a Vice Chair from each Council to\nassist in carrying out its functions. Officials from the Office of Management\nand Budget, Federal Bureau of Investigation, Office of Government Ethics,\nOffice of Special Counsel, and Office of Personnel Management serve on both\nCouncils.\n\n\n\n\n                                   - 83 -\n\x0c                                                                           APPENDIX 8\n\n        THE TWELVE CRITICAL IT ASSET VULNERABILITIES\n\n Vulnerability#1:    Lack of auditing features, audit trails, or policies and\n                     procedures.\n          Threat:    All threat areas can impact this vulnerability.\n      Discussion:    Twelve of the critical IT assets reported vulnerabilities in the\n                     area of auditing features or audit trails. In some of the\n                     systems, the auditing function was non-existent, either\n                     because it was disabled or was not a feature of the software.\n                     In other systems, the audit trail did not track activities of\n                     system users to modify, bypass, or negate system security\n                     safeguards. In some of the systems that had adequate audit\n                     features, the logs were not reviewed, there were no policies or\n                     procedures in place addressing reviewing the audit logs, or the\n                     mechanism to review the audit logs were insufficient to detect\n                     a pattern of access that would indicate a problem.\n\n      Risk Rating:   Low \xe2\x80\x93 moderate\nMitigation Action:   Components ensure the current IT security policy on auditing\n                     and audit trails is implemented on their critical IT assets. The\n                     IMSS will utilize its internal database to track the resolution of\n                     this vulnerability.\n\n\n\n\n                                          - 84 -\n\x0cVulnerability #2:    Improper or inadequate password protection, password aging,\n                     and construction.\n          Threat:    All threat areas can impact this vulnerability.\n      Discussion:    Nine of the critical IT assets have vulnerabilities related to\n                     password aging, inadequate password protection, and\n                     password construction. Some of the systems had more than\n                     one vulnerability in this area.\n                     \xe2\x80\xa2 Three systems had vulnerabilities related to default\n                          passwords.\n                     \xe2\x80\xa2 Three of the systems allowed passwords that either did not\n                          meet the requirements of minimum length or did not\n                          enforce the use of alphanumeric or special characters.\n                     \xe2\x80\xa2 Three systems had vulnerabilities associated with\n                          unencrypted passwords.\n                     \xe2\x80\xa2 Three of the systems did not enforce the password aging\n                          policy.\n                     \xe2\x80\xa2 Three of the systems had vulnerabilities associated with\n                          users sharing passwords.\n      Risk Rating:   Moderate\nMitigation Action:   Change initial login and default passwords immediately as the\n                     login passwords can be easily guessed or are widely known.\n                     Also, implement the current IT security policy on encryption,\n                     identification and authentication, and password management.\n                     Information Management and Security Staff will utilize its\n                     internal database to track the resolution of this vulnerability.\n\nVulnerability #3:    Lack of Encryption.\n         Threat:     All threat areas can impact this vulnerability.\n     Discussion:     Lack of encryption was cited as a vulnerability in five SBU\n                     critical IT systems. No National Security Information (NSI)\n                     [systems] had vulnerabilities related to encryption.\n                     \xe2\x80\xa2 Four of the systems stored and transmitted highly sensitive\n                           data without encryption, including passwords (mainframe\n                           applications).\n                     \xe2\x80\xa2 Three systems transmit highly sensitive data without\n                           encryption across the wide area network.\n      Risk Rating:   Moderate\nMitigation Action:   Encrypt SBU data across general support systems because of\n                     the impact the information has on the Department\xe2\x80\x99s PDD 63\n                     mission. The IMSS will utilize its internal database to track the\n                     resolution of this vulnerability.\n\n\n\n\n                                          - 85 -\n\x0c Vulnerability #4:   Software patches not installed for known vulnerabilities.\n          Threat:    All threat areas can impact this vulnerability.\n      Discussion:    Five systems were lacking patches to fix known\n                     vulnerabilities.41 Exploiting known software vulnerabilities is a\n                     primary means of gaining privileged access to a system or\n                     implementing a denial of service attack.\n\n\n      Risk Rating:   Moderate\nMitigation Action:   Program managers should establish a program to identify,\n                     review, and install, as appropriate, patches to operating\n                     systems and other software. The patches should also be\n                     included in the configuration management documentation for\n                     the system. The IMSS will utilize its internal database to track\n                     the resolution of this vulnerability.\n\nVulnerability #5:    Lack of limited or untested contingency plans.\n         Threat:     All threat areas can impact this vulnerability.\n                     Six IT systems had vulnerabilities associated with contingency\n      Discussion:    plans. The vulnerabilities included no contingency plans, limited\n                     contingency plans that addressed only one scenario, and not\n                     testing contingency plans.\n\n\n     Risk Rating:    Moderate\n       Mitigation    Develop and test contingency plans for all the critical assets.\n          Action:    The Justice Management Division has made the testing of\n                     contingency plans a performance measure for the Department\n                     and will track the progress of the individual systems within the\n                     tracking database.\n\n\n\n\n      41\n         Information Technology Laboratory Bulletin, \xe2\x80\x9cComputer Attacks: What They Are\nand How to Defend Against Them,\xe2\x80\x9d May 1999. [This note appears in the \xe2\x80\x9csource\xe2\x80\x9d for this\ntable.]\n\n                                          - 86 -\n\x0c Vulnerability #6:   Lack of computer security incident response capability.\n          Threat:    All threat areas can impact this vulnerability.\n      Discussion:    Four critical IT systems reported vulnerabilities in its Computer\n                     Security Incident Response Capability (CSIRC).\n                     \xe2\x80\xa2 Two systems had a draft CSIRC plan that had not been\n                          finalized.\n                     \xe2\x80\xa2 One system did not have procedures in place for reporting\n                          incidents as required by the agency\xe2\x80\x99s policy.\n                     \xe2\x80\xa2 The Computer System Security Officer for the last system\n                          did not report incidents in the time frame specified by the\n                          agency\xe2\x80\x99s policy.\n      Risk Rating:   Low\nMitigation Action:   Component Computer System Security Officers should review\n                     and ensure their CSIRC plans are current and ensure the\n                     officers are knowledgeable of the reporting requirements. The\n                     IMSS will utilize its internal database to track the resolution of\n                     this vulnerability.\n\n\nVulnerability #7:    Lack of access controls.\n           Threat:   All threat areas can impact this vulnerability.\n      Discussion:    Seven critical IT systems reported vulnerabilities in access\n                     controls. The vulnerabilities included the failure to delete user\n                     accounts when personnel are terminated and privileges when\n                     access is no longer required due to a change of position or\n                     task.\n\n      Risk Rating:   Low \xe2\x80\x93 Moderate\nMitigation Action:   Components should ensure access privileges and accounts are\n                     deleted when an individual is terminated and privileges are\n                     periodically reviewed and updated based on \xe2\x80\x9cleast privileges\xe2\x80\x9d\n                     and \xe2\x80\x9cseparation of duties.\xe2\x80\x9d The IMSS will utilize its internal\n                     database to track the resolution of this vulnerability.\n\n\n\n\n                                          - 87 -\n\x0c Vulnerability #8:   Lack of configuration management.\n          Threat:    All threat areas can impact this vulnerability.\n                     Nine critical IT systems reported vulnerabilities associated with\n      Discussion:    configuration management. The vulnerabilities included\n                     inadequate configuration management policies and\n                     documentation and no process to review configuration\n                     management documents on a regular basis.\n\n      Risk Rating:   Moderate\nMitigation Action:   Components should ensure system administrators for critical\n                     IT systems have established a configuration management\n                     process for their systems. The IMSS will utilize its internal\n                     database to track the resolution of this vulnerability.\n\n\n\n Vulnerability #9:   Lack of intrusion detection.\n          Threat:    All threat areas can impact this vulnerability.\n      Discussion:    Six critical IT assets reported vulnerabilities in the area of\n                     intrusion detection. The affected critical IT systems either did\n                     not have an intrusion detection capability, the intrusion\n                     detection system did not provide real-time monitoring, or the\n                     system did not monitor internal packet exchange traffic.\n\n\n      Risk Rating:   Low \xe2\x80\x93 Moderate\nMitigation Action:   Components should ensure their critical IT systems have an\n                     intrusion detection capability. Also, the Department\n                     established a procedure for the components to report any\n                     intrusions on their critical IT assets. The IMSS will utilize its\n                     internal database to track the resolution of this vulnerability.\n\n\nVulnerability #10:   Lack of or inadequate virus protection.\n           Threat:   All threat areas can impact this vulnerability.\n      Discussion:    Six critical IT systems had vulnerabilities associated with lack\n                     of or inadequate virus protection. Some of the systems did\n                     not have virus protection installed on all the personal\n                     computers and network servers; other systems did not update\n                     the virus signature files on a regular basis.\n\n\n      Risk Rating:   Moderate\nMitigation Action:   Components should ensure the critical IT systems have virus\n                     detection software installed on all personal computers,\n                     servers, and e-mail systems, and that the software conducts a\n                     scan on a periodic basis. Additionally, the components should\n                     frequently update the protection signature files so the critical\n                     IT systems are protected from recently released viruses. The\n                     IMSS will utilize its internal database to track the resolution of\n                     this vulnerability.\n\n\n\n                                          - 88 -\n\x0cVulnerability #11:   Exploitable network services enabled.\n           Threat:   All threat areas can impact this vulnerability.\n      Discussion:    Five critical IT systems had vulnerabilities associated with\n                     exploitable network services. The network services enabled\n                     on the systems included anonymous File Transfer Protocol\n                     service, Internet Protocol forwarding, Network File System,\n                     network finger service, and .rhosts file.\n\n\n      Risk Rating:   Moderate \xe2\x80\x93 High\nMitigation Action:   Determine which services are currently running on critical IT\n                     systems, either through penetration testing or other means.\n                     Network services should be reviewed and those that are not\n                     necessary should be disabled. Appropriate countermeasures\n                     should be applied to those services that are necessary, such\n                     as \xe2\x80\x9ctcp wrappers\xe2\x80\x9d to restrict and log host access when using\n                     the finger network service. Components should ensure future\n                     penetration testing includes the identification of exploitable\n                     network services as a major focus of the testing. The IMSS\n                     will utilize its internal database to track the resolution of this\n                     vulnerability. In addition, for those systems that have not\n                     undergone an independent review, the IMSS will make those\n                     systems a priority for an independent review during the next\n                     12 months.\n\nVulnerability #12:   Lack of warning banners.\nThreat:              All threat areas could exploit this vulnerability.\nDiscussion:          Components of seven of the critical SBU IT assets did not\n                     display warning banners before the system sign-on screen.\n\n\nRisk Rating:         Low\nMitigation Action:   Ensure all critical IT assets display warning banners before the\n                     system sign-on screen. The IMSS will utilize its internal\n                     database to track the resolution of this vulnerability.\n\n\n   Source: Justice Management Division\xe2\x80\x99s March 2002 Vulnerability Assessment\n\n\n\n\n                                          - 89 -\n\x0c                                                                 APPENDIX 9\n\n FLOW OF INFORMATION WITH THE DEPARTMENT OF\n            STATE AND US CUSTOMS\n\n\n\n\nSource: Justice Management Division\xe2\x80\x99s November 13, 2001, Draft Information Sharing\nMemorandum\n\n                                    - 90 -\n\x0c                                                     APPENDIX 10\n\n    DEPARTMENT ENTITIES THAT HAD CIP TASK FORCE\n                     MEMBERS\n\nLaw Enforcement:\n     Criminal Division Litigation\n     Criminal Division Computer Crime\n     Drug Enforcement Agency\n     INS\n     Bureau of Prisons\n     United States Marshall Service\n     FBI\n     Interpol\n     Executive Office for United States Attorneys\n\nLitigating Divisions:\n       Civil Rights\n       Antitrust\n       Environmental and Natural Resource Division\n       Tax Division\n       Civil Division\n\nOther:\n     Office of the Deputy Attorney General\n     Office of the Pardon Attorney\n     Office of Information and Privacy\n     Solicitor General\n     Associate Attorney General\n     Office of Intelligence Policy and Review\n     Executive Office for United States Trustees\n     Security and Emergency Planning Staff\n     Office of Justice Programs\n     JMD \xe2\x80\x93 Systems Technology Staff\n     JMD \xe2\x80\x93 Personnel Staff\n     Office of Professional Responsibility\n\n\n\n\n                                   - 91 -\n\x0c                           APPENDIX 11\n\n\nJMD\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n            - 92 -\n\x0c- 93 -\n\x0c- 94 -\n\x0c- 95 -\n\x0c- 96 -\n\x0c- 97 -\n\x0c- 98 -\n\x0c- 99 -\n\x0c- 100 -\n\x0c                                                            APPENDIX 12\n\n     OIG, AUDIT DIVISION ANALYSES AND SUMMARY OF\n           ACTIONS NECESSARY TO CLOSE REPORT\n\n\n     In its response to the draft report, JMD agreed with all of our audit\nrecommendations. JMD\xe2\x80\x99s response to the draft audit report is included as\nAppendix 11 of this final report.\n\nRecommendation number:\n\n1.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n     to use the Automated Security Self-Evaluation and Remedial Tracking\n     (ASSERT) tool to track activities to accredit IT systems. This\n     recommendation can be closed after our review of documentation\n     demonstrating that the ASSERT tool is being used to track risk\n     mitigation activities for classified systems.\n\n2.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n     to develop multi-year funding plans following the completion of Step 2\n     of Project Matrix and the implementation of the ASSERT tool to track\n     vulnerabilities, mitigation actions and resources for classified and\n     unclassified systems. This recommendation can be closed after our\n     review of the multi-year funding plan linked to identified vulnerabilities\n     for the critical assets.\n\n3.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n     to use the ASSERT tool to monitor components\xe2\x80\x99 progress in mitigating\n     IT vulnerabilities on a component-by-component basis. This\n     recommendation can be closed after our review of documentation\n     demonstrating that the ASSERT tool is being used to track IT\n     vulnerabilities on a component-by-component basis.\n\n4.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n     to establish a \xe2\x80\x9chelp desk\xe2\x80\x9d dedicated to assisting and tracking the\n     development of certification and accreditation documents by\n     components for IT systems. This recommendation can be closed after\n     our review of documentation demonstrating that the status of\n     certification and accreditation for critical IT systems is being monitored\n     at least quarterly.\n\n\n5.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n     to use the ASSERT tool in accordance with OMB guidance and modify,\n\n                                   - 101 -\n\x0c      if required to include fields for identified vulnerabilities, the source of\n      the vulnerabilities, performance measures to track progress in\n      mitigating vulnerabilities, and resources required. This\n      recommendation can be closed after our review of documentation\n      demonstrating that the ASSERT tool captures POA&M data and\n      (1) clearly addresses the vulnerabilities identified from vulnerability\n      assessments, (2) includes the source of the vulnerabilities,\n      (3) describes the performance measures used to track progress in\n      mitigating weaknesses, and (4) identifies resources required for\n      implementing risk mitigation activities for each identified vulnerability.\n\n6.    Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to review the vulnerability assessment of the IT systems that were\n      added to the list to ensure they meet the requirements of PDD-63 and\n      the ITSS\xe2\x80\x99s plans to assist the components in developing risk mitigation\n      plans. This recommendation can be closed after our review of the\n      vulnerability assessments and risk mitigation plans for assets newly\n      added to the MEI or documentation indicating that those assets are no\n      longer critical.\n\n7.    Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement that according to the results of Step 1 of Project Matrix, the\n      ATF did not have any nationally critical functions, services, or\n      products. This recommendation can be closed after our review of\n      documentation for the results of Step 1 of Project Matrix\n      demonstrating that ATF had no critical functions, services, or products.\n\n8.    Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop a work plan for attaining full operational capability. This\n      recommendation can be closed after our review of the plan for\n      attaining full operational capability.\n\n9.    Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement that it has developed a draft standard for incident response,\n      which includes requirements for secure, timely, and effective\n      communication channels. This recommendation can be closed after\n      our review of a copy of the final standard and documentation of its\n      implementation.\n\n10.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statements that it currently reports incidents and conducts liaison with\n      the FedCIRC and the NIPC. Additionally, JMD indicated that the\n      DOJCERT will contact the FBI and obtain a point of contact for incident\n      response-related actions in the Strategic Information Operations\n      Center. This recommendation can be closed after our review of a list\n      of liaisons JMD established with FedCIRC, the NIPC, and the Strategic\n\n                                     - 102 -\n\x0c      Information Operations Center. We also request for review a copy of\n      the JMD\xe2\x80\x99s plans to ensure the effectiveness of the liaisons established.\n\n11.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to have the DOJCERT and the Cyber Defense Operations Project Team\n      review the components\xe2\x80\x99 incident response plans and reports. In\n      addition, plans that the ITSS C&A \xe2\x80\x9chelp desk\xe2\x80\x9d will provide assistance\n      to the components in developing their incident response procedures\n      and plans. Additionally, JMD intends to use test cases for reporting\n      incidents to verify reporting of incidents. This recommendation can be\n      closed after our review of documentation demonstrating the\n      DOJCERT\xe2\x80\x99s and the Cyber Defense Operations Project Team\xe2\x80\x99s review of\n      components incident response plans and reports.\n\n12.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement that DOJCERT currently conducts analysis of incidents and\n      provides reports on the nature, frequency, category and remediation\n      actions taken and performs analysis to identify potential trends and\n      systemic weaknesses. This recommendation can be closed after our\n      review of the final technical standard and template, the most recently\n      completed examples of DOJCERT analysis and reports on incidents,\n      and the most recently completed analysis of trends and weaknesses.\n      We also would like to review the first evaluation by ITSS using test\n      cases developed from FedCIRC reporting requirements.\n\n13.   Resolved. (a) This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement and that JMD intends to verify DOJCERT\xe2\x80\x99s reporting process\n      using test cases. This recommendation can be closed after our review\n      of documentation demonstrating DOJCERT\xe2\x80\x99s reporting process\n      resulting from test cases.\n\n      (b) This recommendation is resolved based on the JMD\xe2\x80\x99s plans to use\n      incidents reports and analysis provided by DOJCERT to develop a list of\n      vulnerabilities of the critical IT assets. ITSS will review the Exhibit\n      300\xe2\x80\x99s for the critical IT systems and ensure that incident-related\n      vulnerabilities are addressed. This recommendation can be closed\n      after our review of evidence demonstrating that results of incident\n      report and analysis provided by DOJCERT are used in the budget\n      process to support and justify future CIP resource expenditures.\n\n14.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      for the DOJCERT, Cyber Defense Project Team, and C&A \xe2\x80\x9chelp desk\xe2\x80\x9d to\n      provide assistance to the components in developing their internal\n      incident response procedures in the form of standards, template, and\n      document review with comments. This recommendation can be closed\n      after our review of documentation demonstrating that ITSS has copies\n\n                                   - 103 -\n\x0c      of the internal response procedures and a list of appropriate\n      individuals for reporting incidents to the DOJCERT.\n\n15.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop an incident response plan template. In addition, the JMD\n      plans for the DOJCERT and Cyber Defense Operations Project Team to\n      assist the components in testing incident response plans. This\n      recommendation can be closed after our review of documentation\n      demonstrating tests of response plans.\n\n16.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to review certification and accreditation documents to determine\n      whether the system has a contingency plan, as critical assets are\n      identified after the conclusion of Step 2 Project Matrix. This\n      recommendation can be closed after our review of contingency plans\n      for the critical systems.\n\n17.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to review contingency plans as they are identified during Step 2 of\n      Project Matrix, maintain a spreadsheet on the status of the\n      contingency plans, and update the data quarterly. This\n      recommendation can be closed after our review of documentation\n      demonstrating quarterly monitoring of contingency planning.\n\n18.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to replace DOJ Order 2640.2D with DOJ Order 2640.2E and include\n      requirements of the new order in the contingency plan standard and\n      template. Additionally, the JMD intends to have the contingency plans\n      reviewed at the C&A \xe2\x80\x9chelp desk\xe2\x80\x9d and to use test cases to verify that\n      contingency plans contain the required elements. This\n      recommendation can be closed after our review of documentation\n      demonstrating that contingency plans for critical IT assets address all\n      required elements.\n\n19.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop a template for contingency plans. The template is expected\n      to include a signature page for the component approving officials and\n      ITSS will track the validation through the ASSERT tool. This\n      recommendation can be closed after our review of documentation\n      demonstrating that the contingency plans for the critical IT assets\n      have been approved by the appropriate officials.\n\n20.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop a schedule for the testing of contingency plans for all\n      critical IT systems and to monitor those tests. This recommendation\n      can be closed when receive documentation demonstrating that the\n      contingency plans for the critical IT assets have been tested.\n                                   - 104 -\n\x0c21.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop and maintain a database to track liaison and interagency\n      relationships for critical IT systems. This recommendation can be\n      closed after our review of documentation demonstrating that a\n      database has been developed to track liaison and interagency\n      relationships and has been populated.\n\n22.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to request that components review their service level agreements or\n      Memorandums of Understanding and contact other agencies that\n      indicate the support provided by the Department is critical to their\n      operation. Additionally, Step 2 of Project Matrix will identify agencies\n      that have critical assets that are connected to Department\xe2\x80\x99s systems.\n      This recommendation can be closed after our review of documentation\n      demonstrating that the Department has identified which of its assets\n      are critical to other agencies.\n\n23.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to develop and maintain a database to track liaison and interagency\n      relationships for critical IT systems. This recommendation can be\n      closed after our review of documentation demonstrating that a\n      database for tracking liaison and interagency relationships for critical\n      IT systems have been developed and populated.\n\n24.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement that it has established the Department\xe2\x80\x99s Information\n      Technology Security Council (ITSC). The ITSC will be used to address\n      CIP issues. This recommendation can be closed after our review of\n      documentation demonstrating that the ITSC is addressing CIP issues.\n\n25.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s plans\n      to complete an assessment of the linkage between budgetary and\n      personnel shortfall after the completion of Project Matrix and\n      consequently to the Department\xe2\x80\x99s critical infrastructure weaknesses.\n      This recommendation can be closed after our review of documentation\n      demonstrating that JMD has completed an assessment of the linkages\n      between budgetary and personnel shortfalls and critical infrastructure\n      weaknesses.\n\n26.   Resolved. This recommendation is resolved based on the JMD\xe2\x80\x99s\n      statement that it has hired an individual from the Cyber Corps\n      Program and is in the process of hiring another. Both of the\n      Cyber Corps individuals will be part of the ITSS and their duties will\n      support parts of the critical infrastructure program, such as developing\n      templates for risk assessments. Additionally, as part of its retention\n      program of security professionals, ITSS sponsors the departments\n      seminar and testing for the Certified Information System Security\n                                   - 105 -\n\x0cProfessional program. A formal training and retention plan is being\ndeveloped by the IT Security Employee Services Project Team. This\nrecommendation can be closed after our review of a copy of the formal\ntraining and retention plan.\n\n\n\n\n                            - 106 -\n\x0c'